MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan threat. The document body, though heavily obfuscated, contains references to 'Hp photosmart plus won't connect to wireless', suggesting a pretext for technical support or troubleshooting. The presence of numerous external URIs, including the suspicious 'fokemale.ru', points towards a phishing campaign or a downloader for a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/123?utm_term=hp+photosmart+plus+won%2527t+connect+to+wireless PDF link annotation
- http://xoxivolijin.22web.org/what_does_jump_force_character_pass_include.pdfIn PDF document text
- http://bigswinner.space/dasodivivepasonevepufogo655c0.pdfIn PDF document text
- http://wonozudobitisog.scienceontheweb.net/gejujumosu.pdfIn PDF document text
- http://probkin34.xyz/segederafoxau1mbz.pdfIn PDF document text
- http://vifijes.22web.org/tu_mundo_2nd_edition_connect_answers.pdfIn PDF document text
- http://republvinb.fun/how_much_oil_does_an_onan_5500_generator_takes0be0.pdfIn PDF document text
- http://nowukusox.mypressonline.com/massey_ferguson_3545_decals.pdfIn PDF document text
- http://juzawav.iblogger.org/when_u_back_up_in_a_passenger_vehicle.pdfIn PDF document text
- http://prequester.online/1799365366zljih.pdfIn PDF document text
- http://gnoogle.site/ligopejakuvizefugilimur0sffs.pdfIn PDF document text
- http://vaxisezawoged.scienceontheweb.net/gdpr_data_protection_policy_template_uk.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/zuponefi/where_to_donate_pet_toys.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d21af416-8911-4c6c-b4e0-da9b70e4da23/pasaxagikaxixukitikeda.pdfIn PDF document text
- http://josekew.epizy.com/aerobic_and_anaerobic_cellular_respiration_worksheet.pdfIn PDF document text
- https://s3.amazonaws.com/lezopobigeza/64881417342.pdfIn PDF document text
- https://s3.amazonaws.com/rewepalazamiso/wapunetoka.pdfIn PDF document text
- http://bowukedogatowo.epizy.com/formas_analticas_significado.pdfIn PDF document text
- http://zumepif.rf.gd/film_architecture_101_full_movie.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3c27790c-82ef-47de-9b91-f7cb85b5def3/xaxejokizaw.pdfIn PDF document text
- http://fixafuxebiwi.rf.gd/core_beliefs_of_christianity.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a564937e-b5c5-4f02-b46c-7333a3bce0b2/clover_mini_print_head_cleaning.pdfIn PDF document text
- http://wotidupodugi.myartsonline.com/jon_duckett_html_and_css.pdfIn PDF document text
- http://marivugedada.epizy.com/kewegakitirigitufew.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f25f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF25F | 5260 bytes |
SHA-256: 6021c4df633263d8ba6cb6e846a437c511f73ae6104778c1679b8978eefd5078 |
|||
font_01_sfnt_off0001042c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1042C | 10736 bytes |
SHA-256: d020986af39e59fcc1f63f913696f64eb41f7d46a3d42a24abd8984b1587cb1e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.