MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains heuristics indicating it is a phishing lure, using an image to redirect users to an external URL. The ML classifier and ClamAV detection strongly suggest malicious intent. The primary redirector URL is `https://zajinet.ru/strik?utm_term=little+house+on+the+prairie+season+5+episode+17`, which is likely part of a phishing campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9903
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/strik?utm_term=little+house+on+the+prairie+season+5+episode+17 PDF link annotation
- http://afracheat8.xyz/auto_gangster_mod_apk_home72f82.pdfIn PDF document text
- https://cdn.sqhk.co/virurewev/e3Lzshl/kenibulor.pdfIn PDF document text
- http://mazafaka69pussy.online/skyblock_hypixel_guidemdg8f.pdfIn PDF document text
- https://cdn.sqhk.co/berazanoga/idX6NGe/nubotagume.pdfIn PDF document text
- http://idealica-ufficialeitalia.website/kusivumapelorasalowivebuvcxryz.pdfIn PDF document text
- https://cdn.sqhk.co/tipefima/hg7Bugt/13085279000.pdfIn PDF document text
- https://cdn.sqhk.co/videgogaf/NjhEgeB/bias_fx_crackeado.pdfIn PDF document text
- https://cdn.sqhk.co/widafopaj/jbeCRjd/9338699712.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://234d5d8d-19c9-4cab-a884-dd0775662658.filesusr.com/ugd/fb7225_b57fc419e0e64d14b7312fe8f29ff8b0.pdf?index=trueIn PDF document text
- https://e437b920-fa79-41d5-b67c-0ca059f4e77a.filesusr.com/ugd/d97c10_f67dc76d9e9d47a09503205ab0ea35a2.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/9a63226b-e1cd-4132-b6ac-d5f1a587a6f1/what_does_the_word_grimoire_mean.pdfIn PDF document text
- https://684917c6-b594-4497-9ea4-141105166a5b.filesusr.com/ugd/0dc9f5_9bed03831caa4f3e8116ea514498eea8.pdf?index=trueIn PDF document text
- https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_c08c7818e81942b79bab843a618c002f.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/899102e3-777c-4112-9b48-d001539c9689/huckleberry_finn_summary_chapter_21-25.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4fcb9494-291f-4bda-87c8-28755eb25672/what_is_the_world_is_too_much_with_us_poem_about.pdfIn PDF document text
- https://s3.amazonaws.com/wujafivabipo/garebiwezedetofezedukori.pdfIn PDF document text
- https://s3.amazonaws.com/divelatoxa/the_birdcage_full_movie_free.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2bbbdc3f-d6c5-409a-86b7-ccddc7754ff0/monitor_de_signos_vitales_philips_intellivue_mx450.pdfIn PDF document text
- http://jizanisan.epizy.com/fuwodemijipi.pdfIn PDF document text
- http://bubizimus.epizy.com/bemodilogidejisuwoviwi.pdfIn PDF document text
- https://s3.amazonaws.com/tiluwisulepam/xanathars_guide_to_everything_magic_item_crafting.pdfIn PDF document text
- http://kewupuz.rf.gd/14000_things_to_be_happy_about_book_review.pdfIn PDF document text
- https://5c817321-7c0c-448b-959d-deb1da9fd788.filesusr.com/ugd/19103d_c8ced0ee83534e0c904dffe7609d9440.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00035882.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x35882 | 5244 bytes |
SHA-256: e1c943eccd13cb71cbc35e57d7624b7f1d21373f001d257d089fe7aba6dc1535 |
|||
font_01_sfnt_off00036a5b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x36A5B | 12116 bytes |
SHA-256: 549e10ce9324693f73be4a5c16e3c88839630dc5575fa0383e29cadd31a35d2b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.