MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by ClamAV as a phishing trojan and ML classifiers indicated a high probability of maliciousness. The document body, though heavily obfuscated, contains keywords related to 'GST payment voucher', suggesting a lure. The PDF contains a large number of external links, with one prominent URL pointing to a suspicious domain, likely intended to download a second-stage payload. No scripts were extracted, but the overall structure and heuristic firings strongly suggest a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/award?keyword=gst+payment+voucher+format+pdf PDF link annotation
- http://rimugojitiwimun.iblogger.org/rijajetibef.pdfIn PDF document text
- https://puzepoxa.weebly.com/uploads/1/3/4/3/134318678/b58cd.pdfIn PDF document text
- https://vogoworelo.weebly.com/uploads/1/3/4/2/134266182/gomoxelimuwidoziz.pdfIn PDF document text
- https://nulijuvak.weebly.com/uploads/1/3/3/9/133986618/neguvixepoji-vasivasinu-lujol.pdfIn PDF document text
- https://cdn.sqhk.co/nowonipewo/gQ1idpg/3455899479.pdfIn PDF document text
- http://tobubolixej.iblogger.org/dawipubofoluzupog.pdfIn PDF document text
- https://cdn.sqhk.co/zevinikiwi/ihbichg/qualities_of_good_english_teacher.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/kifutizijebuj/hai_bisogno_di_informazioni_in_inglese.pdfIn PDF document text
- http://malanawojuko.epizy.com/38133172751.pdfIn PDF document text
- https://s3.amazonaws.com/lazolu/philips_respironics_dreamstation_cpap_with_humidifier_manual.pdfIn PDF document text
- https://s3.amazonaws.com/boduxatavepe/95560808756.pdfIn PDF document text
- https://s3.amazonaws.com/kuxegu/answers_to_all_toefl_essay_questions_free_download.pdfIn PDF document text
- https://s3.amazonaws.com/ruzumeb/ibm_security_qradar_dsm_guide.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d0a8d8dd-3c3a-4be9-bc0e-48e66b5c5485/88524367360.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62643bdf-15db-48ba-9755-9bc70faedd4d/dnd_dice_set_proficiency.pdfIn PDF document text
- http://kijapomenenuwev.epizy.com/zuvalotegajos.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97740bb4-be94-431c-951d-91220e77d796/skyscan_atomic_clock_86722alu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c6480bee-6362-4ef2-ab60-7a7ad35513e5/linebacker_drills_and_techniques.pdfIn PDF document text
- https://s3.amazonaws.com/panalipolifod/76512663284.pdfIn PDF document text
- http://xupudajiwozov.epizy.com/95942276707.pdfIn PDF document text
- https://s3.amazonaws.com/fevobelijogal/casio_mudman_battery_type.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e48c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE48C | 5556 bytes |
SHA-256: 3204c13ded929f7379435f56bd61014929f06228923ddacbc29d8afc5abbfa6d |
|||
font_01_sfnt_off0000f75c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF75C | 10840 bytes |
SHA-256: 699ef00a315152152b6053e2b4397c4c4545b9cf6ae4c138e3a57a5ec3f3895b |
|||
font_02_sfnt_off00011cc1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11CC1 | 16060 bytes |
SHA-256: 5b0d2701ab39d2f69c66d7d16c60d8db0b323aa0832947137e757b5401d27330 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.