MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses an urgency-based lure. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.7105
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nipisod.ru/123?utm_term=bad+time+simulator+welcome+to+hell PDF link annotation
- http://socialwave.me/non_spore_forming_bacillijaq7y.pdfIn PDF document text
- http://itnegozio.info/aha_guidelines_for_stable_angina_2017q1gvx.pdfIn PDF document text
- https://zukutalemuz.weebly.com/uploads/1/3/4/5/134582669/bunejawitaze.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481830/normal_603688a08fccb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374696/normal_604760efa4a86.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464052/normal_6035fcd980a20.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481667/normal_601694c1002dc.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379222/normal_5fe1d6285656b.pdfIn PDF document text
- https://kizifafub.weebly.com/uploads/1/3/4/7/134714450/815265.pdfIn PDF document text
- https://gifolavetufo.weebly.com/uploads/1/3/2/6/132695571/6764371.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418199/normal_604052eebfd12.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4426269/normal_5fe2f2800213e.pdfIn PDF document text
- http://spencermcman.us/norifapuzuwakaxasijwerae.pdfIn PDF document text
- http://usecabinets.xyz/amsco_us_history_20196l092.pdfIn PDF document text
- https://vukajikabazaxeg.weebly.com/uploads/1/3/4/7/134711597/0a7bd70047f46f.pdfIn PDF document text
- https://jumufewaxijakuk.weebly.com/uploads/1/3/1/3/131380308/fixiro.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/1e61e0f2-2ea3-42cf-83d9-3594656573b8/68127360401.pdfIn PDF document text
- https://s3.amazonaws.com/bokofapig/82608919422.pdfIn PDF document text
- https://s3.amazonaws.com/ganubatebedoxez/norabegud.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a28a5ed7-1064-4db4-8d42-d13403de4d2d/why_does_my_lg_tv_keep_flickering.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/63ef8b22-0073-4fb0-95f9-b3a839e187b4/evenflo_chase_select_lx_installation_video.pdfIn PDF document text
- https://s3.amazonaws.com/ravuxudibure/welding_inspection_report_format.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d025cc48-9be8-4ecf-8ace-77939631b625/vogev.pdfIn PDF document text
- https://s3.amazonaws.com/wovisak/3385191784.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- https://savannah.gnu.org/projects/freefont/In PDF document text
- http://www.gnu.org/licenses/In PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00032b57.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x32B57 | 6864 bytes |
SHA-256: 7ae164a73ee3e4de9047e294222b9c53e7df13250ab0f7e59e0ac30a4623017c |
|||
font_01_sfnt_off00033c7f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x33C7F | 18064 bytes |
SHA-256: 971c4b9d5afc8e8234c141fbe84c34f433b8cc6ea3deb3258950ea93b86bde6b |
|||
font_02_sfnt_off0003773a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3773A | 5320 bytes |
SHA-256: acc2261fcac482ba45673fefc2485b0801ed285580e8d7b5e5c9a3645658ff06 |
|||
font_03_sfnt_off000388f6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x388F6 | 6176 bytes |
SHA-256: eabd8a525f566427dadeb5ba8e54d2d038fc688f2af4b13e4fb7d7dcd0c958dc |
|||
font_04_sfnt_off000397e5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x397E5 | 18548 bytes |
SHA-256: 78fc37b79d23c48ed1c73b73ca37f118722d95e1adc2144c4f98c120b05a12df |
|||
font_05_sfnt_off0003d383.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3D383 | 18720 bytes |
SHA-256: 6aa709a6a44c814ffdfd5564c480a71d38255810cbaeb8f6d41e368272bf4a20 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.