MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple suspicious links, including one that redirects to a potentially malicious PDF hosted on a suspicious domain. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and the lure text suggest a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LUREPDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/strik?utm_term=carson+dellosa+answer+key+grade+3
- https://cdn.sqhk.co/muvasesuru/icAicge/51238329933.pdf
- https://cdn.sqhk.co/merojuniv/dgyITjh/newubevuwemuturakazis.pdf
- http://hookup668.site/gmat_official_guide_2021_ebook_free_downloadjeb1r.pdf
- http://paypallsecurity.com/vmware_vsan_6.7_u1_deep_dive_download5ytzh.pdf
- http://bigmagazin.xyz/buletefarukajorprcv1.pdf
- http://olx-delivery.cc/2010_camaro_ss_ls3_0-602ostd.pdf
- http://outputqwvk.space/operation_flashpoint_resistance_addons1zmqd.pdf
- https://wuvumivew.weebly.com/uploads/1/3/1/4/131410662/7655199.pdf
- http://fruct.space/lamawojefemiq7.pdf
- https://sadavofabuloxus.weebly.com/uploads/1/3/5/3/135316226/27f876.pdf
- http://soldatskaya6.ru/ligafakerepiqb3dg.pdf
- http://minuette.me/himno_al_maestro_venezuela_acordesf9ux7.pdf
- https://bapixive.weebly.com/uploads/1/3/4/3/134393773/2675166.pdf
- http://nosinoski.shop/sofewumezagadelipijugs08g.pdf
- http://securitycheckingbrowservkcom.xyz/bujeliwagawasafiwopexhxi0h.pdf
- http://arfesopt.com/mufezukasikipeberazz8np.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/daxemo/duzakozokezikibap.pdf
- https://s3.amazonaws.com/zatasipezeg/autocad_free_download_for_students.pdf
- https://s3.amazonaws.com/fixararololu/computational_physics_mark_newman_amazon.pdf
- https://s3.amazonaws.com/jamuluvuvava/1837820826.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f3e6.binf5d4f9e0e5acadf7e426b71acff679cc55dadcb3b46429b85bc325d8c227c1fc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3E6 | 5320 bytes |
font_01_sfnt_off00010626.bin44addcc1e1fb82a43dbcd049d61e51813677bb02a498ce63773013b7865106e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10626 | 11456 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.