MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded URLs that mimic search results, suggesting a phishing or redirection attempt. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for delivering a secondary payload or leading to a malicious site. No scripts were extracted, but the presence of external URIs points to a social engineering tactic.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cdn-cms.f-static.net/uploads/4402933/normal_5fd5f592e7b33.pdf
- https://pawuzoratifeze.weebly.com/uploads/1/3/4/4/134471058/9193435.pdf
- https://static.s123-cdn-static.com/uploads/4470960/normal_5ff989ce758e2.pdf
- https://static.s123-cdn-static.com/uploads/4444638/normal_6003dd951b967.pdf
- https://valezofijamope.weebly.com/uploads/1/3/4/4/134445284/9058204.pdf
- https://cdn-cms.f-static.net/uploads/4485308/normal_605859194a52c.pdf
- https://cdn-cms.f-static.net/uploads/4420761/normal_6018607eb68e5.pdf
- https://static.s123-cdn-static.com/uploads/4367964/normal_5feb7e73ebd6f.pdf
- https://cdn-cms.f-static.net/uploads/4369330/normal_60624bf8481af.pdf
- https://cdn-cms.f-static.net/uploads/4376875/normal_604e7ce2e4252.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://feedproxy.google.com/~r/wb/ENAH/~3/mO-5lVq97NI/wb?keyword=what%20coding%20language%20is%20similar%20to%20vba
- https://uploads.strikinglycdn.com/files/dbf769a3-16e4-4e39-9ff0-51fa2869294c/basketball_legends_unblocked_79.pdf
- https://uploads.strikinglycdn.com/files/0b8ed842-c1c0-4cbd-8854-929fe5361f06/2012_toyota_camry_automatic_transmission_fluid_change_interval.pdf
- https://uploads.strikinglycdn.com/files/bea9f63a-d615-438f-a9fb-80e35532a92b/60876537265.pdf
- https://uploads.strikinglycdn.com/files/6480e800-ebe5-4c5d-ba61-620d4c4d27fb/how_to_properly_take_blood_pressure_with_a_wrist_cuff.pdf
- https://uploads.strikinglycdn.com/files/011499e9-8f63-4680-92f1-81b306631d98/does_ring_video_doorbell_have_a_monthly_fee.pdf
- https://uploads.strikinglycdn.com/files/a3846beb-9193-4bee-aaf7-4bafef41fc30/62588612142.pdf
- https://uploads.strikinglycdn.com/files/74b96fb9-84ee-4e67-9f75-f50151a0671e/kejenegaxojif.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb57.bin0cf3d743452bfa56f9aedbb3c4e40ba9d27d3ffd01c71dc687d645723dd3662e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB57 | 5564 bytes |
font_01_sfnt_off0000fe25.bine23dd5dac6e389f6abd298b2d572a77340cd0864249f0554cd30fb712048bd05 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE25 | 10556 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.