MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The sample is a PDF document flagged by ML classifiers and ClamAV as malicious. It employs social engineering tactics, specifically a 'ClickFix' attack, by presenting a fake technical issue ('Windows 10 keeps restarting after shutdown') and instructing the user to execute a command. This is a common lure to bypass security controls and execute a payload. The embedded URLs likely lead to the download of a second-stage malicious file.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/wix?keyword=windows+10+keeps+restarting+after+shutdown PDF link annotation
- http://tryplafond.xyz/kefasekn9kb2.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4418972/normal_5ffcd7fb31507.pdfIn PDF document text
- http://pozijuza.scienceontheweb.net/66316684135.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4415929/normal_5fdf5f008e251.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4384645/normal_5fe99bafceb2a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4497688/normal_6024219bd2cd5.pdfIn PDF document text
- http://parazepurafeza.medianewsonline.com/54076069346.pdfIn PDF document text
- http://bunnygummy.ru/vijefolugu72daz.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4404745/normal_604697e19f757.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378834/normal_6037efbda798b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4409243/normal_5fc90ab2ecd89.pdfIn PDF document text
- http://reduslim-officialsite.site/sututabejolajelubo1ao0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4392651/normal_60396b8f46975.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/78e85852-0aef-453b-81cc-50beb767dcf6/iso_27001_password_management_system.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/213fc019-56d8-48a6-bd81-28ab73ecd64c/what_is_the_most_advanced_math_in_the_world.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0ce5ae3d-3534-4deb-9251-7c5855c1173c/69243907760.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7c46a30e-27b4-4249-81c3-70417b5bf860/58989001662.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/279b0206-273e-4ac6-82ac-ddd2c17d5006/63829221005.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5813e126-5c58-471b-a2dd-eef20f40c8dc/priscilla_shirer_armor_of_god_session_1_full_video.pdfIn PDF document text
- http://zikoliduxa.atwebpages.com/rapovebilegojorebit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/271c9b78-95a0-4578-9788-f2a2c8f36e4b/what_shows_are_on_newsmax.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eb893e8a-b851-4167-af0b-b9b3a21874b3/elemental_magic_book.pdfIn PDF document text
- http://pebomotixot.myartsonline.com/jidemiv.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7e5b2984-f7e5-4c7c-a4ed-391de330c3ae/vodojugosigikixorupefe.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f4a5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4A5 | 5636 bytes |
SHA-256: c7e25c5545d515bea44aa870552cfa9aba76c4cc6ff1f26445718f0fc5c9e6e6 |
|||
font_01_sfnt_off000107f4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x107F4 | 11228 bytes |
SHA-256: 4c2f9cdb882a30bcb4451f2e6d16e0cfc8c8f544865d6e125fd5848f0d38be6f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.