SUSPICIOUS
50
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0072
Heuristics 3
-
Clickable URL embeds a recipient email address as a tracking parameter high PDF_URL_RECIPIENT_EMAIL_PARAMPDF has a clickable HTTP(S) action whose URL carries a recipient email address as a query parameter (e.g. '?e=victim@example.com') on a host that is not known-good. Phishing kits stamp the target's address into the link so the landing page pre-fills the credential form and tracks the open per recipient; a delivered legitimate link rarely carries the recipient's address in cleartext. Complements PDF_URL_MAILMERGE_PLACEHOLDER, which catches the unrendered token.
-
External URI low PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://hakumonkai.org/fukkou/ref.php?url=https://vets4pets.nz/public/go.php?email=fleet-scotland@ogilvie.co.uk PDF link annotation
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
🗂 Part of campaign:
shared payload 99ad8546da
13 samples
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00000bd8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBD8 | 19140 bytes |
SHA-256: 1d975c9593415dbd66a743016f842d0b20f9c8fc8887c572fe5387dd52b9eb27 |
|||
font_01_sfnt_off00003337.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3337 | 15892 bytes |
SHA-256: 99ad8546dad29e7bf686b854933af3e4868c1b561453de5b001ef0244aae4174 |
|||
font_02_sfnt_off00004e25.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4E25 | 13532 bytes |
SHA-256: d9b7e4694a62f4cc2dc10cb17c4d45e5943b9ae0da3fc96fd732b2b28ab45ce4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.