MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The ML classifier and ClamAV detection strongly indicate maliciousness. The presence of an external URI pointing to a suspicious domain, combined with heuristics for urgency lures, suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF format often embeds JavaScript for malicious actions, and the external URI is a primary indicator of compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/award?keyword=basic+accounting+in+tally+pdf
- http://taygerr.com/fegunnsiur.pdf
- https://cdn-cms.f-static.net/uploads/4368226/normal_6022d8db7ab90.pdf
- https://cdn-cms.f-static.net/uploads/4493549/normal_60559331801eb.pdf
- http://tojugurorozusu.22web.org/mobogenie_for_pc_latest_version_free.pdf
- http://siteznakomstv69.space/569352700459gpsq.pdf
- https://cdn.sqhk.co/gadukupuwe/Vju0aBx/betonimixenaluzoxejowula.pdf
- https://cdn.sqhk.co/nogugojuri/ghheje7/drift_fortnite_costume_amazon.pdf
- https://cdn.sqhk.co/gavezexu/iiMhd99/79116222674.pdf
- https://cdn.sqhk.co/belebudetub/cFPKSxe/frog_tapestry_kit.pdf
- https://cdn-cms.f-static.net/uploads/4369495/normal_6056ebc8ac3af.pdf
- https://cdn.sqhk.co/kogeledewafo/kLAhh7U/37902671004.pdf
- https://static.s123-cdn-static.com/uploads/4384167/normal_5ff22405f0e50.pdf
- http://crawlmqyu.space/wipomezoxeludutisolulia6h.pdf
- https://cdn.sqhk.co/wamedexipun/dUjeeJa/wejesilifesemerek.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- http://jefitotirezakif.epizy.com/ajanta_and_ellora_caves_history.pdf
- http://bidasumibave.epizy.com/blank_guitar_tab_sheet.pdf
- http://xuxadak.epizy.com/82034528941.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000da59.bin02941928884c65d20fbca57c88c5f27b82324a699fec9aa8cc39c402f0dbd3f8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDA59 | 5140 bytes |
font_01_sfnt_off0000ebe6.bin81a17bd75d39e1d27bebb9b8cb18c92e0a762df4300b1ce2b7161ef9dac7168d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEBE6 | 10900 bytes |
font_02_sfnt_off0001115e.bind1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1115E | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.