MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses brand-impersonation credential phishing, a password-protected-archive lure and a seed-phrase/secret-recovery lure. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://xanowiporak.weebly.com/uploads/1/3/0/8/130814060/mozibujanojojip-zuledem.pdf.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/123?utm_term=allah+ke+99+naam+video++hd PDF link annotation
- http://about-igsupport.com/pituxizoxaponemopi8x5ka.pdfIn PDF document text
- http://websporizle3.com/besozejajumifasag2ker.pdfIn PDF document text
- https://cdn.sqhk.co/vefemenivu/6ONhdje/36853981195.pdfIn PDF document text
- https://xanowiporak.weebly.com/uploads/1/3/0/8/130814060/mozibujanojojip-zuledem.pdfIn PDF document text
- https://cdn.sqhk.co/kataregulu/jdunhfx/music_like_jump_around_by_house_of_pain.pdfIn PDF document text
- http://closemaze.com/90831102835fymfi.pdfIn PDF document text
- https://mitenipup.weebly.com/uploads/1/3/4/3/134363071/tuxowegomibazig.pdfIn PDF document text
- https://cdn.sqhk.co/pozigafo/bphc7hf/21192599208.pdfIn PDF document text
- http://stebsmeh.space/monkey_d_luffy0bk9y.pdfIn PDF document text
- https://rujurujubawupof.weebly.com/uploads/1/3/0/9/130969172/cd2163804.pdfIn PDF document text
- https://cdn.sqhk.co/kugoxepif/if4MjiK/gezejixak.pdfIn PDF document text
- https://rajomewebi.weebly.com/uploads/1/3/4/7/134712267/gaxobetow.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://48e5b1ff-25fb-49a4-826b-3ad3f3a15688.filesusr.com/ugd/0d632a_5ac4f98932a34a17b23d6a8be948bb2a.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/vidadaviwal/zulojala.pdfIn PDF document text
- https://s3.amazonaws.com/varolexexus/45910692036.pdfIn PDF document text
- https://a2fe464c-28d1-4db8-bb2d-552ad9bc2f4d.filesusr.com/ugd/941bb1_98b0c8a1d9b0433aa4fe8560bd1c780e.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/rizezobabub/what_is_the_current_sat_scoring_system.pdfIn PDF document text
- https://s3.amazonaws.com/xakusineba/bombay_movie_songs_tamil_video_song.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0002a1e6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2A1E6 | 5060 bytes |
SHA-256: 2c156ca992b4a2eb5aa4201030b697157dc4b359def83f3d38e47d2b31bcdbad |
|||
font_01_sfnt_off0002b2fe.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2B2FE | 12328 bytes |
SHA-256: 818674515766e3c279f80cac6e8880986da4260baa82e1fefae018c5c1e4cce7 |
|||
font_02_sfnt_off0002dd43.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2DD43 | 16204 bytes |
SHA-256: 532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.