MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains a URL that leads to a download, indicated by the 'unlockmytv apk firestick' query parameter. Heuristic firings and ClamAV detection confirm this PDF is malicious, likely a phishing lure for a trojanized application. The ML classifier also strongly suggests maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffnew.ru/123?utm_term=unlockmytv+apk+firestick PDF link annotation
- https://cdn-cms.f-static.net/uploads/4383916/normal_5f9fcd230ba9f.pdfIn PDF document text
- https://wesodopudo.weebly.com/uploads/1/3/4/2/134234684/1216083.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413696/normal_5fb0436165220.pdfIn PDF document text
- https://korodovijexud.weebly.com/uploads/1/3/4/5/134512412/menan-dufenowa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375700/normal_5f9888ea68126.pdfIn PDF document text
- https://tegugozitofo.weebly.com/uploads/1/3/0/8/130874592/065fd.pdfIn PDF document text
- https://tinozuxitijerel.weebly.com/uploads/1/3/4/5/134528375/banadajalulimipeser.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4386834/normal_5f906fc7c1ee7.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/1b418241-5744-4809-ab4d-d56501feda4f/a_very_big_branch_worksheet_answer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ccfb1fe4-6a07-4de9-948d-844459abf05c/vpn_unlimited_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8e0649b4-1550-4bd4-a481-98e702b4d87e/44531567023.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4ca561e8-bfef-4e61-9a6a-a42cc01726fd/kufenarenobemoruw.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d9df.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD9DF | 5164 bytes |
SHA-256: 2f856bca54fa25df5ee77d21e9d4bb30ddcbd58edaba1714ff7a8c42d64e65a0 |
|||
font_01_sfnt_off0000eb60.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB60 | 10788 bytes |
SHA-256: 94b2c97978b71f02888b06fe8253a6c2fc76a913cdd0f7850d8ac0300ffff109 |
|||
font_02_sfnt_off0001101c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1101C | 4324 bytes |
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.