MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF document that contains an embedded URI pointing to a suspicious domain, traffking.ru. ClamAV and ML classifiers flagged this PDF as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to 'arbitration guidelines', likely intended to trick users into visiting the malicious URL.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/aws?utm_term=nar+arbitration+guidelines
- https://cdn-cms.f-static.net/uploads/4366660/normal_5f8753f52eab8.pdf
- https://cdn-cms.f-static.net/uploads/4365662/normal_5f86fe8f12e34.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/cb1a6d0d-3fea-4d28-976b-84a46bb33d32/ecuaciones_lineales_con_dos_variables_ejercicios.pdf
- https://uploads.strikinglycdn.com/files/017a4be6-de68-4220-8f1d-5da73167f841/pennsylvania_drivers_manual_2020.pdf
- https://uploads.strikinglycdn.com/files/4ebfe9bb-bdf9-4be6-a8e9-5408dcec2fa7/gisudumat.pdf
- https://uploads.strikinglycdn.com/files/845cca63-6776-4990-98bb-6a30a4aec2cb/advance_auto_parts_boca_raton_fl.pdf
- https://uploads.strikinglycdn.com/files/25601e5a-7783-4eb8-a773-7bc2b9fda876/tri_state_bus_ohare_to_highland.pdf
- https://uploads.strikinglycdn.com/files/49f05c45-3791-49f8-aa65-c8a89d39d077/the_wadsworth_guide_to_research.pdf
- https://uploads.strikinglycdn.com/files/528d41d9-4023-48e3-8b08-2794edc98540/51876586162.pdf
- https://static1.squarespace.com/static/5fc537ae0a2757459bff2ea8/t/5fd1fe6d87bef85997f33f1b/1607597678545/61220292503.pdf
- https://uploads.strikinglycdn.com/files/05e9c113-df34-414b-97f9-56eb88edf305/newuxalusadamosomulimala.pdf
- https://uploads.strikinglycdn.com/files/45dae1b4-8559-4c91-b5ab-07252ba11081/91552146082.pdf
- https://s3.amazonaws.com/fosagoba/daverabikavorofizef.pdf
- https://s3.amazonaws.com/wizuluworafid/zukageferuwilawizoruwu.pdf
- https://uploads.strikinglycdn.com/files/482e229a-ff72-4949-a2ad-9101d605f3de/nulujogobigokozab.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001508b.bin1856ae2cf0142d4e9e6ebf12f08a1bbcbd5bba62df6c3589e8574469a60f1903 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1508B | 5100 bytes |
font_01_sfnt_off000161f4.binc17582230f7a55ef5bade21d40de2da7fc81b2f35f7b0ef9e1c2803ae0e92f40 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x161F4 | 11804 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.