MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains an embedded URL that redirects to a malicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, appears to contain keywords related to the external URL, suggesting a phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/aws?utm_term=g+shock+5146+ga110rg
- http://arenaprobet.com/reped39oia.pdf
- http://organicnu.info/xenujb73h2.pdf
- https://cdn.sqhk.co/tubafejog/fje2gf7/craigslist_los_angeles_california_motorcycles.pdf
- http://lianhua.life/batman_villain_joker_theme_musicus3m1.pdf
- http://rineset.xyz/dabanivobemezix7ivc0.pdf
- https://cdn.sqhk.co/mozigizax/ejbJOaJ/linirizepidido.pdf
- http://twenty-promo2020.ru/how_to_use_aqua_tech_5-15itk3p.pdf
- https://cdn.sqhk.co/xaderipamuva/gj5wzPU/31215497035.pdf
- https://cdn.sqhk.co/zefadanexa/UONDgjG/steps_involved_in_risk_management_process.pdf
- http://wubowobipevoto.mywebcommunity.org/61407033390.pdf
- https://cdn.sqhk.co/pilozarager/gfij2Kl/jisugorul.pdf
- http://tuwimig.scienceontheweb.net/dovumexazixilunu.pdf
- http://chestlune.online/fexelitusabanejajcy8hj.pdf
- http://nuvagefo.medianewsonline.com/barrier_free_design.pdf
- https://cdn.sqhk.co/zeterabaxax/Ajajfja/juvoraw.pdf
- http://daddytestit.xyz/what_is_the_most_important_part_of_writing_a_professional_emailhkm06.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://roxujewov.myartsonline.com/read_the_apocrypha.pdf
- https://s3.amazonaws.com/vonutavekip/parigitisozofabuwel.pdf
- https://s3.amazonaws.com/saziwijaxodav/honda_eu1000i_generator_review.pdf
- https://s3.amazonaws.com/julaxel/excel_spreadsheet_template_for_coin_inventory.pdf
- https://s3.amazonaws.com/pidufozu/hdfc_ergo_general_insurance_motor_claim_form.pdf
- https://s3.amazonaws.com/dutuzanob/agerigna_keyboard_apk.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000da19.bin37de5730e1686c7f25ccf4735106c308f4e2a7a65aaa27c92e750ff062245a9d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDA19 | 21080 bytes |
font_01_sfnt_off0001180e.binfa2b3baca3b617db06ae950db19b3bb3e779cab670e7bfcd7288af479e4a6648 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1180E | 5684 bytes |
font_02_sfnt_off00012b69.bin8b5613250520a53a3609d56ab0a3f0e3f18694c5a6059ff8de6f2c6a7923a59b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12B69 | 10672 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.