MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains heuristics indicating embedded URLs and is flagged by ML classifiers and ClamAV as malicious. The document body, though obfuscated, suggests a lure related to 'minecraft mods'. The primary malicious URL identified is https://botokaw.ru/wix?keyword=best+minecraft+mods+1.5.2, which is likely used for phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/wix?keyword=best+minecraft+mods+1.5.2
- http://trydouche.xyz/gipenutotonivusabak93ylc.pdf
- http://copyrights-notices-helps.com/united_states_army_special_forces_trainingejvl1.pdf
- https://static.s123-cdn-static.com/uploads/4480581/normal_5ff9ecdaaf66a.pdf
- http://neridofufuleteg.scienceontheweb.net/why_was_the_agricultural_revolution_important_to_history.pdf
- https://cdn-cms.f-static.net/uploads/4381340/normal_6061cc2875775.pdf
- http://bumefivaloso.scienceontheweb.net/java_programming_objective_type_questions_and_answers.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/6199e64f-9e03-4eed-9fa0-76039f09a57b/can_you_play_splatoon_without_the_wii_u_gamepad.pdf
- https://s3.amazonaws.com/xalexojaxipud/dasenuludivafo.pdf
- https://d4508431-0eee-4913-ac2a-2ec907ed9b18.filesusr.com/ugd/12daa7_22057005786c4105b2c63924d97f2863.pdf?index=true
- https://uploads.strikinglycdn.com/files/65b80a0d-1a60-4795-bead-1703c2a4dde3/manekefujufubetipo.pdf
- http://zobuwijezad.onlinewebshop.net/restaurant_reservation_form.pdf
- https://4dcfe184-cd6c-48f8-9f23-5461c743a1d4.filesusr.com/ugd/cc8533_21b101e43aaf431187fde5b22909dcdd.pdf?index=true
- https://8137cd1e-393d-4948-8193-eca935452849.filesusr.com/ugd/756799_90a4b9145bad497bab0ac8e0fad85a26.pdf?index=true
- https://s3.amazonaws.com/nawosineromigi/jarrett_stidham_draft_report.pdf
- https://uploads.strikinglycdn.com/files/55f875fe-01ff-49a1-877c-de56d12f6c50/fasixedigekajeraxikurelij.pdf
- https://uploads.strikinglycdn.com/files/08e27e24-5058-4edf-98c1-40c5ac58c772/principles_and_applications_of_electrical_engineering_solutions.pdf
- https://uploads.strikinglycdn.com/files/1b4eb7e3-dd43-4581-8b2f-bdfa95eca6cb/kohler_jacuzzi_tub_faucet_parts.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f78a.bin4c14b9f15bf8ccd836f4989579bdcc80d0e190ce49307210aa14ed921ae04348 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF78A | 5524 bytes |
font_01_sfnt_off00010a4c.bin7e80b32b9b74ee8422d9e6babd9ce915de04271fef338f96c84f63ee7873f34a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A4C | 10972 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.