MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'trafffe.ru', which is likely used for phishing or to download a secondary payload. The document body, though heavily obfuscated, contains fragments related to product names and application details, suggesting a lure to disguise the malicious URL.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/strik?utm_term=chi+curling+iron+1.5+inch
- https://cdn-cms.f-static.net/uploads/4372378/normal_5f8be0198f065.pdf
- https://cdn-cms.f-static.net/uploads/4377102/normal_5f8ce04317c97.pdf
- https://s3.amazonaws
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/zonivezada/bitter_leaf_plant.pdf
- https://static1.squarespace.com/static/5fc0f4a62e34347c70445090/t/5fc1660a9d79364840c219c6/1606510090423/73893573934.pdf
- https://s3.amazonaws.com/gupuso/3225632088.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd1c3643516d6aa83e0ca2/1606229049253/sasufikuremob.pdf
- https://s3.amazonaws.com/janodojivi/blair_witch_walkthrough_guide.pdf
- https://s3.amazonaws.com/sefipa/3263846042.pdf
- https://static1.squarespace.com/static/5fc5af41a3bf4b14abc9db24/t/5fcd7228c836a917f921b64e/1607299624319/red_button_up_dress_shirt.pdf
- https://static1.squarespace.com/static/5fc021705e8e827d4289a3fa/t/5fc0e36d9d79364840ae1d4c/1606476653933/44312104107.pdf
- https://uploads.strikinglycdn.com/files/aef590e7-c03e-4abd-8821-e957028efb53/33684112124.pdf
- https://s3.amazonaws.com/wewuxuviwar/kugami.pdf
- https://static1.squarespace.com/static/5fbfe7e212facd59cea75dab/t/5fc86ee06652ad59ec28fc31/1606971108097/30226358578.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d5fa.bin3ab348bc964e7cb8b0ec730ceccc1451cacc1b8c2f2714dbceb40d60235b52cc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD5FA | 4784 bytes |
font_01_sfnt_off0000e644.binefec123a87ba57f511de8021463ef8906a45bdfebab9d79c3a5d41129b23371e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE644 | 10544 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.