MALICIOUS
174
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample is a PDF document flagged as malicious by multiple heuristics, including a critical finding for a link to known malicious redirector infrastructure. The 'SE_CALLBACK_LURE' heuristic indicates the document is designed to trick users into calling a phone number, a common tactic in callback phishing or tech-support scams. While no scripts were directly extracted, the PDF structure and malicious URL suggest an attempt to exploit user trust for financial gain or credential theft.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/aws?utm_term=denham+springs+police+department+accident+reports In PDF document text
- https://static.s123-cdn-static.com/uploads/4462350/normal_5fcef63d6546c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4404987/normal_5fb6118aa45ee.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4373509/normal_5f95d4d82de16.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4375696/normal_5fcc3be98e0c4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476122/normal_5fa6c07e8f1ab.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4418566/normal_5feea5d9362e7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4411926/normal_5f9d631d84fb6.pdfIn PDF document text
- http://lupaper.22web.org/59653220784.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4406213/normal_5fca946bb7b30.pdfIn PDF document text
- http://vepekideku.iblogger.org/free_employee_incident_report_template.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383792/normal_5f95fc4435455.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://faxanudof.epizy.com/votuwemife.pdfIn PDF document text
- https://s3.amazonaws.com/muvojugejoxip/expense_sheet_spreadsheet.pdfIn PDF document text
- https://s3.amazonaws.com/temujonuwu/cardiac_tamponade_jvp_waveform.pdfIn PDF document text
- https://s3.amazonaws.com/semuxemakaw/20239269890.pdfIn PDF document text
- http://gozajogef.rf.gd/sam._cengage_answers_2019.pdfIn PDF document text
- http://lenixad.epizy.com/sqlite_android_studio_create_database.pdfIn PDF document text
- https://s3.amazonaws.com/gofiguj/54128336373.pdfIn PDF document text
- https://s3.amazonaws.com/xapijifas/14125716879.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cc24.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCC24 | 5488 bytes |
SHA-256: 5eb7b6aa15d535815649f3899b5849e8e21042e096d263618d143fa171499260 |
|||
font_01_sfnt_off0000dea3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDEA3 | 10472 bytes |
SHA-256: d9383be46401d05a6a05507ccb72be19e5baa75549b01a0b50d5416e1077b727 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.