MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'zajinet.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to 'wave motion notes pdf', indicating a targeted phishing attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/award?keyword=wave+motion+notes+pdf
- https://cdn.sqhk.co/sowanigog/hP1gUzd/hyper_v_live.pdf
- http://bamebefexa.22web.org/wofebitizamogu.pdf
- http://xesepoxobij.22web.org/notixosomanabivowida.pdf
- http://natlegend.space/optical_isomerism_in_coordination_compoundsaw40j.pdf
- http://cmbmarketing.agency/xozaridunotorvbhjq.pdf
- https://cdn.sqhk.co/xopuxuvop/dgeibha/rowan_air_hockey_game_price.pdf
- http://disconto50.pro/how_to_remove_the_samsung_ice_maker218xu.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://88966db1-4a83-4446-b941-f65022a6235f.filesusr.com/ugd/928e0f_a2b1d30f316642a3930096a6ae0f085a.pdf?index=true
- https://fa202315-5cd5-4006-9a99-7c5d4406650e.filesusr.com/ugd/61804c_2a676c855b40434c9e3fbfde43502783.pdf?index=true
- https://9a89a7da-ede3-42eb-a537-7416be21eb2d.filesusr.com/ugd/aaaf79_938472af58654f8e897d2aca9c700e36.pdf?index=true
- https://s3.amazonaws.com/fizup/74735618549.pdf
- https://s3.amazonaws.com/dakebesuvum/kenmore_front_load_washer_will_not_turn_on.pdf
- http://dunizolosonon.rf.gd/spondylolisthesis_radiology_report.pdf
- http://punegejofuj.epizy.com/havoc_demon_hunter_dps_guide_8._2.pdf
- http://retexibew.rf.gd/scientific_notation_chemistry_if8766_answer_key.pdf
- http://muvasusug.epizy.com/negugavonutabodonijolok.pdf
- https://s3.amazonaws.com/jutenojamega/drudge_report_whistleblower_identified.pdf
- https://720c7b34-a033-4bf0-83ea-6be17de98aa2.filesusr.com/ugd/03ef8e_bda9c59e3b7c4d64845ec091fa6fb6d3.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e6cd.bin21dcfdecbcffa2bfc59eaf496ee048f10373c73da55ae11396ca44e75747737f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE6CD | 4920 bytes |
font_01_sfnt_off0000f783.bin5c1f8dd18d87a07bef6f1903dc71bebd626b579317d83d8e64493e786140f61f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF783 | 10240 bytes |
font_02_sfnt_off00011a92.bince7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A92 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.