MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document was flagged by a machine learning classifier and ClamAV as malicious, exhibiting characteristics of an advance-fee scam. It contains an external URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site or download a payload. The document body, though heavily obfuscated, suggests a lure related to a product manual, combined with elements that could be part of a phishing or scam attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9942
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/wix?keyword=bluedio+turbine+t2+manual
- https://fiwobezamarevev.weebly.com/uploads/1/3/2/7/132740324/naporu.pdf
- http://mediaverifiedbadge.com/fimelafaji83elw.pdf
- https://tugesarafexo.weebly.com/uploads/1/3/5/3/135319839/bf9ec9887268bde.pdf
- http://nashremont.site/telling_time_grade_2_worksheettje4i.pdf
- https://lonoripub.weebly.com/uploads/1/3/5/3/135319728/kunozu-wajadatebur.pdf
- https://ligunetanojuwid.weebly.com/uploads/1/3/4/6/134625742/siwuvozaxumog.pdf
- https://ratamugokamilel.weebly.com/uploads/1/3/5/9/135959592/c931d9501.pdf
- http://qwert-ita.fun/91721453381yl1pb.pdf
- https://jawenovexexadu.weebly.com/uploads/1/3/4/0/134012785/2953430.pdf
- http://nubilofanekib.mygamesonline.org/data_scientist_interview_questions.pdf
- http://nibewubixela.getenjoyment.net/9882761207.pdf
- http://devlp.club/what_does_sxt_mean_on_a_dodge_caravanmlldh.pdf
- https://ziwagunu.weebly.com/uploads/1/3/4/8/134883986/lemud_wetukif_pofowafixot.pdf
- http://www.opentle.org
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://54957a25-093b-4cbd-a4f0-8eb5fea931f0.filesusr.com/ugd/8ba634_e79d20f22d424fc9a9b0a424a0695828.pdf?index=true
- https://s3.amazonaws.com/rujimidujek/export_bookmarks_from_brave_browser_android.pdf
- https://s3.amazonaws.com/sosupejuxofedo/4596605464.pdf
- https://b3079848-b07e-4d89-9244-05dfa5dd91fe.filesusr.com/ugd/3ab5ed_4b5e7b1a2331490fbeebd29f6f636199.pdf?index=true
- https://s3.amazonaws.com/pukaridimupo/vizio_sb2920-c6_29-inch_2.0_channel.pdf
- https://88211235-bf86-4d40-a6ec-a052db2f682e.filesusr.com/ugd/94e5ef_1da4a21455ed4a06965553affe018486.pdf?index=true
- https://s3.amazonaws.com/pusolefosex/delinquent_account_on_credit_report_uk.pdf
- https://436240a4-ef10-404e-ad90-c5cab949c7af.filesusr.com/ugd/3fb742_fba36c7d85724981ba4f6e3d7f642e04.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://www.gnu.org/licenses/gpl.html
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off00025e0c.bincc321681733ed334601cb5659ff696d864a2b2d4b0942964367c495a82e9c8f7 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x25E0C | 9484 bytes |
font_00_sfnt_off00024202.bin4eade0b89cbe79c57e58b9fc1620e91cfd61cea2a52885750f6bdc0c2a786e72 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x24202 | 3128 bytes |
font_01_sfnt_off00024d46.bin960eaf496578b07f9e85da05c45a453d8a87f6f30e4c89749e43e799788bb726 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x24D46 | 4996 bytes |
font_03_sfnt_off000278ca.bin66ccce7f1f120084e1bc046c803b75a098cba27fd3410ebe5002c59e51c3aa1d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x278CA | 12888 bytes |
font_04_sfnt_off0002a44c.binead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2A44C | 16164 bytes |
font_05_sfnt_off0002b965.bin0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2B965 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.