MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The embedded URL, https://resalured.ru/wix?keyword=minecraft+redeem+code+list, suggests a phishing or credential harvesting attempt disguised as a Minecraft redeem code list. No scripts were extracted, but the PDF structure and URL indicate a phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://resalured.ru/wix?keyword=minecraft+redeem+code+list
- https://cdn-cms.f-static.net/uploads/4496389/normal_5fd22c4088c9e.pdf
- https://cdn-cms.f-static.net/uploads/4414169/normal_605d7519b3cd2.pdf
- https://cdn-cms.f-static.net/uploads/4451374/normal_60188786c561c.pdf
- https://cdn-cms.f-static.net/uploads/4456377/normal_6016e5adb645c.pdf
- https://cdn-cms.f-static.net/uploads/4387420/normal_60571dfb2dcd1.pdf
- http://xivekoto.medianewsonline.com/adobe_acrobat_reader_app_download.pdf
- https://cdn-cms.f-static.net/uploads/4486963/normal_5fe8b30620f89.pdf
- https://static.s123-cdn-static.com/uploads/4456134/normal_5ff416962bf71.pdf
- http://mixutadumekaje.mypressonline.com/86567900331.pdf
- https://cdn-cms.f-static.net/uploads/4413986/normal_6038e02b94fdb.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/05b4f27b-b8c7-4a2e-8828-15e57a3cea16/intervention_and_teaching_strategies_in_hindi.pdf
- http://puwagof.rf.gd/rabugitesibebelu.pdf
- https://uploads.strikinglycdn.com/files/4c8e7ddf-6110-4810-86a9-26123057776f/61191738693.pdf
- https://uploads.strikinglycdn.com/files/29ecced2-6d9f-48b2-ae81-a31949be9238/graco_crib_parts_instructions.pdf
- http://pulitisagot.atwebpages.com/36791011643.pdf
- http://pozirumine.epizy.com/wafogew.pdf
- http://kosezofejesuxef.atwebpages.com/2010_camaro_price_range.pdf
- http://lipabarud.atwebpages.com/air_force_previous_question_paper.pdf
- https://uploads.strikinglycdn.com/files/340757d5-2128-4e22-b169-64edae67d77f/can_a_dell_optiplex_7010_run_fortnite.pdf
- http://kusababi.onlinewebshop.net/xadojigok.pdf
- https://uploads.strikinglycdn.com/files/62e4f79e-8ffa-4cf5-9382-f4669dee97db/jbl_sb400_not_working.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000110a7.bin5a2d5f096c4b483fcbf1c9d32be86535e7a68908181572ea7731d2a78b7c1942 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110A7 | 5172 bytes |
font_01_sfnt_off00012235.binb8561d40209d4357630ed4e79b526c2fd49ae69c517c2595f683f1676dd69156 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12235 | 12196 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.