MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF containing an embedded URL that redirects to a suspicious domain, identified as malicious by ClamAV and ML classifiers. The document body, though heavily obfuscated, suggests a lure related to a popular streaming service, indicating a phishing or malware distribution attempt. The presence of external URIs and the ML classification strongly support a malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/strik?utm_term=does+disney+plus+have+a+christmas+carol
- http://warixedivukinat.mygamesonline.org/vefoza.pdf
- https://cdn-cms.f-static.net/uploads/4500417/normal_5fd3bfac93f10.pdf
- http://ketabizuf.22web.org/14700426023.pdf
- https://static.s123-cdn-static.com/uploads/4463298/normal_6003223720f22.pdf
- https://cdn-cms.f-static.net/uploads/4489415/normal_60436a7ed8c5c.pdf
- https://cdn-cms.f-static.net/uploads/4427077/normal_6026d87069dc7.pdf
- http://rujitexoxobag.mypressonline.com/dalowasaxalejuwokepitil.pdf
- https://cdn-cms.f-static.net/uploads/4453720/normal_602b5093eed1a.pdf
- http://wugegifa.getenjoyment.net/36722306677.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/6440efda-3e63-4cd3-bccd-0151958fa6ec/gawos.pdf
- https://s3.amazonaws.com/fobupojowojon/megogo_android_tv_4pda.pdf
- http://pagolojesuwagi.epizy.com/hand_exercises_for_carpal_tunnel.pdf
- https://s3.amazonaws.com/pajeriramal/walezuwimupibebemiz.pdf
- http://misugivunuzu.epizy.com/emi_christian_music_publishing_sheet_music.pdf
- https://s3.amazonaws.com/ragejufa/nejesananunewofamubibo.pdf
- http://bedimulepov.epizy.com/what_is_the_best_small_sewing_machine.pdf
- http://bototiluwoge.atwebpages.com/bojuna.pdf
- https://uploads.strikinglycdn.com/files/e873b4da-1a28-4d68-82ec-2e66732060d9/singer_simple_3223_retro_sewing_machine_yellow_review.pdf
- http://xikusaduxofi.atwebpages.com/91444600692.pdf
- http://gexegufikide.epizy.com/clear_platform_heels_movie.pdf
- https://s3.amazonaws.com/ditiruz/ktb_corporate_online.pdf
- https://s3.amazonaws.com/dosipive/zararimojopelarazupitow.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fb53.bin2bac3b979d688a29b2f72950f5ce30c3f7119598e54fb7478ea06acfd46effc1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB53 | 5472 bytes |
font_01_sfnt_off00010dd7.binb435d7f9323ffd8fbe7245de0f213d74462e9f9d8709afd812c56449981c7aa2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10DD7 | 10568 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.