MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by a ClamAV detection and an ML classifier. It contains an embedded URI pointing to 'https://trafficel.ru/aws?utm_term=digimon+world+1+digivolution+guide', which is likely used for phishing or to download a secondary payload. The document body is heavily obfuscated, but the presence of the external URI suggests a malicious intent to redirect the user to a potentially harmful site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/aws?utm_term=digimon+world+1+digivolution+guide
- https://cdn-cms.f-static.net/uploads/4371508/normal_5f9337000d996.pdf
- https://cdn-cms.f-static.net/uploads/4375694/normal_5f89712f230d7.pdf
- https://cdn-cms.f-static.net/uploads/4374518/normal_5f90499ab93ca.pdf
- https://cdn-cms.f-static.net/uploads/4406168/normal_5fa5f2b510e59.pdf
- https://cdn-cms.f-static.net/uploads/4377113/normal_5fae12c5600bd.pdf
- https://cdn-cms.f-static.net/uploads/4369935/normal_5f8d1dfbd6dfa.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/4311ae75-0a14-4a88-99cd-f953d53e5da7/85491061622.pdf
- https://uploads.strikinglycdn.com/files/5c6999ce-c72c-4c1c-9af4-17a220ee7b7e/ocean_11_scene.pdf
- https://uploads.strikinglycdn.com/files/9d93ae3b-33d4-4c13-a365-ecc5738aa847/sozenewiginiguxesomafini.pdf
- https://uploads.strikinglycdn.com/files/4b6674df-dfb4-4262-863c-30fcd4096a12/cotton_wool_spots_vs_drusen.pdf
- https://uploads.strikinglycdn.com/files/7c048fe5-1b89-4be2-b5a2-8979203f9c66/potepamowegifinexom.pdf
- https://uploads.strikinglycdn.com/files/5a2363ab-1b85-422d-8110-15954079e2d1/chapter_25_paired_samples_and_blocks_answers.pdf
- https://uploads.strikinglycdn.com/files/5249739b-b105-44f1-96fb-e990403d295c/nebogi.pdf
- https://uploads.strikinglycdn.com/files/60b947dd-77e7-4317-8e3a-6835ab940446/javawefez.pdf
- https://uploads.strikinglycdn.com/files/934ca635-130d-456e-83bd-aac16ad14b24/90337639209.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c786.binfb23d864dd4f6071a84a69c21933e221d4cbf3b6e84a4af2b2b93b9c385fe64a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC786 | 4960 bytes |
font_01_sfnt_off0000d86d.bina74fd2aa55fdafa8e80001c06939eaebd25cd2717f160a71bf10ae6843fa4de7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD86D | 11428 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.