MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF document was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, indicating malicious intent. The presence of a 'Clipboard command execution lure' heuristic suggests the document instructs users to copy and paste commands into a shell, a common technique for downloading and executing second-stage payloads. The embedded URL 'https://jumiwimov.ru/strik?utm_term=macbook+pro+tutorial+for+beginners+2019' is likely the initial point of contact for this payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/strik?utm_term=macbook+pro+tutorial+for+beginners+2019
- http://sushibara.net/the_road_back_to_you_test7vqri.pdf
- https://cdn-cms.f-static.net/uploads/4444117/normal_602c6e6675b95.pdf
- https://static.s123-cdn-static.com/uploads/4426269/normal_5fe15dcaf394c.pdf
- https://static.s123-cdn-static.com/uploads/4403266/normal_60002eb48816b.pdf
- http://flymoney.net/financial_institutions_management_9th_editionj5jqn.pdf
- https://cdn-cms.f-static.net/uploads/4367017/normal_60142e76a2aba.pdf
- https://static.s123-cdn-static.com/uploads/4379377/normal_5ffcb3ba57e23.pdf
- https://cdn-cms.f-static.net/uploads/4422645/normal_60305ade75bb8.pdf
- https://cdn-cms.f-static.net/uploads/4458840/normal_5fd5fe4348f61.pdf
- https://static.s123-cdn-static.com/uploads/4368953/normal_5ff2846823701.pdf
- http://creditinquiry.info/h3po4_is_a_stronger_acid7151j.pdf
- https://cdn-cms.f-static.net/uploads/4405194/normal_6037a3a3df25a.pdf
- https://static.s123-cdn-static.com/uploads/4373986/normal_5fc71fcfa2db2.pdf
- http://avtoshkola-region26.ru/granny_square_crochet_blanket_tutorialymzzs.pdf
- http://verifybadgesbusiness.com/legends_of_runeterra_cards_wikiuayjr.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://rutozaduv.epizy.com/mafefatagabovevuviko.pdf
- http://wuzuruwevirelu.rf.gd/rigomu.pdf
- http://vodupuginotipir.rf.gd/29123163128.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010b5b.bincdcc098615d9ac01e212668827c17b527ee66f4b3bb778caf8563e15f05420d5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10B5B | 5876 bytes |
font_01_sfnt_off00011f7b.bin55a88e8b0083ed3a28927635e68a3cffb8413009c7ad325fb8cd175f209f4780 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11F7B | 10784 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.