MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of embedded URLs, despite some being marked as benign, suggests an attempt to redirect the user to external content. The PDF_URI heuristic points to a specific external URI, which is a common tactic for phishing or malware delivery. No scripts were extracted from this sample, but the overall structure and detection results point towards a malicious PDF designed to exploit user interaction.
Machine Learning
- Nyx PDF Classifier malicious score 0.9920
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://feedproxy.google.com/~r/sq/ugae/~3/CHqDoFjlE84/square?utm_term=rcl+daily+readings
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ecb1c9bb2b39086b6ba7e3/1626124745590/harry_potter_half_blood_prince_watch_online.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ecb1d7a506f377f536bf44/1626124759432/in_what_two_ways_can_a_machine_alter_an_input_force.pdf
- https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e80227f29cd6423db5e276/1625817639239/91332772923.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ec7e446ad76c09748fa8c5/1626111556675/nightmare_withered_toy_chica.pdf
- https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60ec92f71d0b3933755244f9/1626116855725/convert_from_to_word_without_losing_format.pdf
- https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60ecb030f9fdfb3a2d2f43c4/1626124336922/50721155467.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8007f57d2352c927de56f/1625817216303/were_there_thunderstorms_last_night.pdf
- https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8b4f02b4d945990ae97ba/1625863408817/86642761486.pdf
- https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e963402dabf27235564123/1625908033024/jemebawijorube.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fdbb.bin8134c339f51206678dc4d30cbb00a2f25c2c8850464de1e06a467593e05aa9b8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFDBB | 17696 bytes |
font_01_sfnt_off00012c39.bin56b9e5aa27d1f3abb93fbaa093b5a34b755b9834eb3cb141d57ee39c54a3cffa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12C39 | 10488 bytes |
font_02_sfnt_off000143ef.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x143EF | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.