MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample was identified as malicious by a machine learning classifier and ClamAV, with heuristics indicating an advance-fee scam lure. The document contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. No scripts were extracted, but the PDF structure and heuristics suggest a phishing attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/aws?utm_term=functional+programming+in+python+amazon
- https://cdn-cms.f-static.net/uploads/4453115/normal_601ba87131274.pdf
- http://particulieres-societegenerale.best/6010619645zdrbh.pdf
- https://cdn-cms.f-static.net/uploads/4392861/normal_604187256e09a.pdf
- https://cdn-cms.f-static.net/uploads/4370267/normal_602d957e5acde.pdf
- http://secureappeal.com/kaxirudateletuktvdc.pdf
- http://kokusurajiguz.22web.org/wegowebunegovalo.pdf
- https://xobisopi.weebly.com/uploads/1/3/1/3/131379629/femuwukaw.pdf
- http://moreprodukti.com/35700510983hsaxc.pdf
- https://static.s123-cdn-static.com/uploads/4500201/normal_6005f5873c23b.pdf
- https://joxuripuziw.weebly.com/uploads/1/3/4/2/134266010/dinejarobajisowon.pdf
- http://limecash.xyz/zigixerivorafenisidapovopjsrq8.pdf
- https://gaxasexafarud.weebly.com/uploads/1/3/4/5/134590452/18033.pdf
- http://xodaxobomefawod.iblogger.org/abirami_anthathi_with_meaning_in_tamil.pdf
- http://girlsbeach.space/grohe_shower_tap_parts0uewu.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/diwitapezu/drill_down_report_means.pdf
- http://gadudadu.rf.gd/37305672758.pdf
- https://s3.amazonaws.com/kovozenamofox/tuzidasunirutefobebuj.pdf
- https://s3.amazonaws.com/ganubatebedoxez/lennox_slp98uh_error_codes.pdf
- https://s3.amazonaws.com/jolozidabi/can_i_use_my_iphone_as_a_universal_tv_remote.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000148b3.bin29ce15810cf4a76ef7f1f34dd861902b4c91b8f1df921b3e31d5a07aaf66ae76 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x148B3 | 5276 bytes |
font_01_sfnt_off00015a90.binecdbe9f6b4ae0d6f643f24a49ca021682f289a06c140d22ef7204d16f53c39fe |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15A90 | 10828 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.