MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing site. The document body, though heavily obfuscated, contains text that appears to be a lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://resalured.ru/strik?utm_term=the+koran+bible
- https://static.s123-cdn-static.com/uploads/4366312/normal_6005f648b3d75.pdf
- https://cdn-cms.f-static.net/uploads/4425933/normal_601b43398ecef.pdf
- http://tipografiyav.moscow/volexuzafajovidezoguliievcg.pdf
- https://static.s123-cdn-static.com/uploads/4380213/normal_5fcdfcc094f63.pdf
- http://ehaberdevlet.com/genie_model_gict390_battery_changeay0h9.pdf
- http://zosigar.iblogger.org/jig_fishing_for_crappie_techniques.pdf
- https://cdn-cms.f-static.net/uploads/4418171/normal_603155a714558.pdf
- https://cdn-cms.f-static.net/uploads/4451565/normal_605c1731a7481.pdf
- https://cdn-cms.f-static.net/uploads/4447434/normal_6029426565762.pdf
- https://cdn-cms.f-static.net/uploads/4470552/normal_6011814a4f9af.pdf
- http://misirabul.22web.org/xumejatapenubuwaf.pdf
- https://cdn-cms.f-static.net/uploads/4388282/normal_606246092e56d.pdf
- https://cdn-cms.f-static.net/uploads/4417535/normal_6022aaa1a7d08.pdf
- http://befipekawuzader.iblogger.org/borewell_recharge_techniques.pdf
- https://cdn-cms.f-static.net/uploads/4444092/normal_605dc24a77d3d.pdf
- https://static.s123-cdn-static.com/uploads/4369141/normal_5ff67942cd101.pdf
- https://static.s123-cdn-static.com/uploads/4485942/normal_6003275aebbb7.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://nunemasagabegu.rf.gd/42491212330.pdf
- https://uploads.strikinglycdn.com/files/14872b7d-7dfd-4e01-b61a-89f31fdd4473/78703992546.pdf
- https://uploads.strikinglycdn.com/files/b6e37533-6f92-43c3-8c5c-11d9298c1496/49698355894.pdf
- https://uploads.strikinglycdn.com/files/9bc7e561-34ef-46b0-a973-3f7ffe738dfd/are_princeton_review_gre_practice_tests_harder.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb3b.bin31c5b292776ecad4f919771d33c177bc91a3a54fddcbd16a551ea97533870a85 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB3B | 4748 bytes |
font_01_sfnt_off0000fb53.binb2a151bb97d5a69e609d27543c4f8782e0a494aa017c270b13271ec3f3e81014 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB53 | 11148 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.