MALICIOUS
174
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF file was flagged as malicious by multiple heuristics, including a critical alert for linking to known malicious redirector infrastructure and a machine learning model. The 'SE_CALLBACK_LURE' heuristic specifically indicates a callback phishing or tech-support scam pattern, where the document likely prompts the user to call a phone number. While no scripts were extracted, the presence of a malicious URL and the nature of the heuristics strongly suggest an attempt to trick the user into engaging with a fraudulent service.
Machine Learning
- Nyx PDF Classifier malicious score 0.9979
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cctraff.ru/123?utm_term=revised+uniform+partnership+act+florida
- https://cdn.sqhk.co/kapudome/W4Kjbgj/xurubok.pdf
- https://cdn-cms.f-static.net/uploads/4381105/normal_5fd9bfcb4aa7c.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/5e5a41bf-bb0e-4ab5-96db-9bf526b4354a/wovuxajisul.pdf
- https://uploads.strikinglycdn.com/files/0f84bb14-0e70-4650-994d-c29e141aba82/parallelogram_proofs_worksheet_with_answers.pdf
- https://uploads.strikinglycdn.com/files/9bdbe097-111b-4d77-b244-89b4df3d792f/ebay_fortnite_accounts_ps4.pdf
- https://uploads.strikinglycdn.com/files/f183b905-2719-42af-a0c3-558760d7d346/56588046701.pdf
- https://uploads.strikinglycdn.com/files/9c111f5c-4ed9-4212-839d-b86b2783b6b2/1845446139.pdf
- https://s3.amazonaws.com/mojivikapeti/392326882.pdf
- https://s3.amazonaws.com/kozibowisenatu/23964036745.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e5be.bin4eb6eb74b335b8ce4cf928d64e6d4c6d595fbe38519c45de4b0e79ef673bf5cc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE5BE | 5460 bytes |
font_01_sfnt_off0000f82f.bin4a4794565a4ba3a61e1e34ada3bcaab19e943032ea8e6d28efcbacbe40f682e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF82F | 11796 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.