MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that, when clicked, leads to a suspicious domain. The document body, though heavily obfuscated, references 'Neverwinter bard class', likely a lure to entice users to click the malicious link.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://oniceh.ru/pbw?utm_term=neverwinter+bard+class PDF link annotation
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/4ad36b03-624d-4f70-884b-00774aa7fac8/2943968378.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7575533d-4b3f-4bc0-a459-4cfb039f3d26/what_is_the_difference_between_a_mans_brain_and_a_womans_brain.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e860b35f-93a7-4dfc-b3e3-558eede5107e/19152307861.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9e74eecc-77b0-405d-b6c1-738ad147cb23/4000_essential_english_words_2_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c88228c0-90b5-4bab-87de-93ed849ee4e6/fomuwurarenibanogasu.pdfIn PDF document text
- http://fuvesiwowegu.pbworks.com/w/file/fetch/144413958/what_are_nouns_verbs_adjectives_and_adverbs.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/590bdcc5-9a7f-46f4-8169-cb8701e12596/ncert_solutions_for_class_12_maths_free_download_chapter_6.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c88ec965-8fb8-45f7-977f-562a5690bdd8/can_you_use_ace_high_in_cribbage.pdfIn PDF document text
- http://munonoraze.pbworks.com/w/file/fetch/145150218/fifty_shades_freed_2018_full_movie_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/edcf5b30-fdca-4ea9-861e-22cbf4044d80/how_to_use_the_niv_study_bible.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f5dd23d9-d38f-4968-b5ce-e102c1edcff8/self_isolation_before_surgery_nuffield_health.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9807d0df-8e84-4b39-b027-49696f00351a/how_to_set_up_hotspot_on_iphone_8_at_t.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fc4037ee-e744-4e1f-ba1f-bcc8dbe45839/black_and_decker_double_paddle_bread_machine.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b887903e-b753-471a-9ee2-c6c83276706e/dijafova.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e4be8071-fbb4-49ae-bd4b-e0c07a0987d0/lord_of_the_rings_movie_elf_characters.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cf783c8e-bdd3-449d-912b-89b92f8146f6/how_to_heat_a_greenhouse.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fdce77a4-ca28-4c51-b285-8b07320781b1/intermittent_fasting_diet_plan_16_8_for_vegetarians.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/24c4b8e0-027a-40f6-8e80-ce70b7c11dd8/42153869868.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/85f19628-b95e-441e-a717-6734be911966/reduwejovupiriloti.pdfIn PDF document text
- http://jozeluwofe.pbworks.com/w/file/fetch/144851025/74508342207.pdfIn PDF document text
- http://jetubabup.pbworks.com/f/56006267253.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5a911503-151f-4ca6-bd0d-31a976bd9ed2/the_usborne_beginners_spanish_dictionary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0969fedb-0354-42d6-b4b7-9f933489b7f6/xanipag.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d409b9cd-6523-4b60-b544-ea86b251a99c/business_writing_for_dummies.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001183a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1183A | 5192 bytes |
SHA-256: bc738d8a93141f7684d42194cc53baa6459be33ae1008835e110c20039c63428 |
|||
font_01_sfnt_off00012a0b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12A0B | 11208 bytes |
SHA-256: b54e08e0fab8c045a8876f1ae3e6cab6883303e5f0604aed290330759492383d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.