MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
The sample was flagged by multiple heuristics, including brand-impersonation credential phishing and ML classification, indicating malicious intent. The presence of numerous external links, including one impersonating Amazon, suggests a phishing campaign. The document body, though heavily obfuscated, contains references to product keywords and application details, likely serving as a lure to disguise the malicious links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://vetasokimatajed.weebly.com/uploads/1/3/5/2/135296406/pudatagipowaw.pdf.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/wb?keyword=frigidaire%20fghc2331pfaa%20water%20filter%20bypass PDF link annotation
- https://vetasokimatajed.weebly.com/uploads/1/3/5/2/135296406/pudatagipowaw.pdfIn PDF document text
- https://xafineker.weebly.com/uploads/1/3/4/7/134701786/tonaxerewe.pdfIn PDF document text
- http://gopizapa.22web.org/copycats_crossword_answer.pdfIn PDF document text
- https://goreduve.weebly.com/uploads/1/3/2/7/132740848/vomikosirot_limob_tibubejomow.pdfIn PDF document text
- https://xisofapetuv.weebly.com/uploads/1/3/4/7/134747578/xowasiluwofom.pdfIn PDF document text
- https://pimupaxepa.weebly.com/uploads/1/3/1/8/131857198/c207519f.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b7380e9b-2c83-4b8a-a331-ab33c163cbfa/26142525742.pdfIn PDF document text
- http://kebanibaru.epizy.com/making_of_the_english_working_class.pdfIn PDF document text
- https://s3.amazonaws.com/votuweroxigezog/20616475443.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/db9e2a96-0a06-452a-a119-0e8aa12b93bc/yoga_poses_for_weight_loss_in_a_week.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/49a9eb3e-14c9-4c95-8c9d-a6210c9b1e99/peter_et_wendy_2021.pdfIn PDF document text
- https://s3.amazonaws.com/dusubonifu/film_boneka_chucky_full_movie_2017.pdfIn PDF document text
- https://s3.amazonaws.com/dazifozixawus/asphalt_8_for_pc_filehippo.pdfIn PDF document text
- https://s3.amazonaws.com/tesotiwapax/how_do_i_reset_my_ubee_router.pdfIn PDF document text
- https://s3.amazonaws.com/sefepugolupalax/alphabet_franais_avec_image.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ed904d28-1e01-40cc-a1bd-89212c4b0a07/default_password_for_netgear_router_v7610.pdfIn PDF document text
- https://s3.amazonaws.com/zagapaxa/wuzupazama.pdfIn PDF document text
- http://memekafese.rf.gd/58886001701.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7c497b0d-079c-46a7-b6f9-ae152fe23609/best_paintball_guns_under_100.pdfIn PDF document text
- http://logabijizuz.epizy.com/libro_caballo_de_troya_1_para_leer.pdfIn PDF document text
- https://s3.amazonaws.com/mefovu/meminoxi.pdfIn PDF document text
- https://s3.amazonaws.com/bodajaku/synonyms_list_for_third_graders.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/37fa5218-2508-424f-9b56-307dc20925c4/93542271826.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012ccf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12CCF | 6056 bytes |
SHA-256: 23d92e87b4f7a9a6acc3590c545cc7cbabe78364a30f5c015b2a8f580b269ef6 |
|||
font_01_sfnt_off00014185.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14185 | 12612 bytes |
SHA-256: d4696cf8bfd072b24babcd4d36e656d36488b3fc0583b548cf36ed9d44ed82d4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.