MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'mezovuduw.ru', which is likely used for phishing or to download a secondary payload. The document body, though heavily obfuscated, contains text related to 'national literacy progressions', suggesting a lure to trick users into clicking the malicious link.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/award?keyword=national+literacy+progressions+pdf
- https://cdn-cms.f-static.net/uploads/4411700/normal_60160bbb3add9.pdf
- https://cdn.sqhk.co/tutabalero/YMjbjh5/turbo_stars_mod_apk_rexdl.pdf
- https://cdn.sqhk.co/vimexuda/h9d9Rif/bedwars_server_address_java_edition.pdf
- http://woodbonus.net/36838844964j1cb3.pdf
- https://cdn.sqhk.co/gujurolekuma/mgdVgdT/fimikolofulatirosovubip.pdf
- http://italysummer.space/what_does_the_word_terminate_mean_in_englishgdo76.pdf
- http://wow50.pro/krunker_report_hackerspkpju.pdf
- https://cdn-cms.f-static.net/uploads/4390097/normal_6032987196fd3.pdf
- https://cdn.sqhk.co/nugizape/Cifjigf/ludo_game_project_in_python_with_source_code.pdf
- http://rivepozepuxar.mywebcommunity.org/kudoxopixufuvigapozu.pdf
- http://pornbustyvids.com/88934986177q00l8.pdf
- https://static.s123-cdn-static.com/uploads/4370764/normal_6006809b90161.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/f4f6ef44-2700-4d20-ac6e-32e5a15a09d7/calories_and_carbs_in_taco_bell_steak_quesadilla.pdf
- https://uploads.strikinglycdn.com/files/bb9a59b2-13c0-4db1-aa85-3822399b3457/wotagitijizivaj.pdf
- https://uploads.strikinglycdn.com/files/b6e91d33-72db-49a2-83e8-1b038dadbc54/22207781941.pdf
- https://uploads.strikinglycdn.com/files/2707935f-8a34-42d4-baba-1d76aa7a417e/inferno_dan_brown_plot.pdf
- http://sajulugebimisu.myartsonline.com/abstract_nature_of_mathematics.pdf
- https://uploads.strikinglycdn.com/files/05806bbb-2c2e-4d0b-a4a1-fd8128231785/how_to_find_grams_from_moles_in_a_compound.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000de5e.bin9d3187b02d36e39d58b242c4eeffd988e5ed8e106dc997e78fe27bb9e16351e2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDE5E | 5396 bytes |
font_01_sfnt_off0000f0d7.bin823412a38007cc6cd8f47c2e0b3f83915d72660ddfbe6c9e739a1724073b3be1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF0D7 | 10672 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.