MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. It contains an embedded URI pointing to a suspicious domain, pelibifir.ru, which is likely used to host a malicious payload or phishing page. The document body, though heavily obfuscated, suggests a lure related to a 'fairy tail magic guide'. No scripts were extracted, but the presence of external URIs and the overall detection profile strongly suggest a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9935
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/wix?keyword=fairy+tail+magic+guide+global+release PDF link annotation
- http://letinebab.mywebcommunity.org/adhyatma_ramayanam_kilippattu_malayalam_download.pdfIn PDF document text
- http://tapasin.sportsontheweb.net/acer_aspire_one_d257_service_manual.pdfIn PDF document text
- http://vwwv-avito.online/putigigt2rnh.pdfIn PDF document text
- http://wovugikanagak.scienceontheweb.net/36247671490.pdfIn PDF document text
- http://rafale.store/1668943755bdji.pdfIn PDF document text
- http://afracheat4.xyz/can_you_renew_your_learners_permit_online_in_texasb02j4.pdfIn PDF document text
- http://zizodoroluxonaf.sportsontheweb.net/feral_tiefling_5e_wikidot.pdfIn PDF document text
- http://bonmarket.site/lirr_schedule_port_washington_todaykfd6g.pdfIn PDF document text
- http://molotkov.site/free_certificate_border_templates_for_wordurd2h.pdfIn PDF document text
- http://poruzotosiku.getenjoyment.net/44310149223.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/pavujiniz/bradley_electric_smokers_for_sale.pdfIn PDF document text
- https://s3.amazonaws.com/xefejevife/device_calibration_wizard.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1fa8a40f-f72f-4646-b28f-f7260351287d/percentile_rank_calculator_jee_mains_2019.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/091bdd3e-5b7e-4871-8fec-ca84bd178ecb/ps4_gold_headphones_dongle.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eb572484-2d32-4644-8ff8-ee1b543cc5ae/jacobsen_parts_lookup.pdfIn PDF document text
- https://s3.amazonaws.com/rebesudanolo/megekulafolesa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa951294-e2c1-4da8-b2cc-a9eff40c805a/59443333058.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ca776904-eda5-4da7-88c9-c4d735282266/rea_calculus_problem_solver.pdfIn PDF document text
- https://s3.amazonaws.com/papuja/bloodhound_gang_foxtrot_uniform_charlie_kilo.pdfIn PDF document text
- https://s3.amazonaws.com/silubebebefuju/80433887050.pdfIn PDF document text
- https://s3.amazonaws.com/loneminovu/fotibegatogedonigeko.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/578a01ee-f9dc-4a9e-b61d-48959269d790/dell_optiplex_7010_sff_specifications.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50a59106-ce98-4233-a8b1-9d0918287652/whirlpool_gold_double_oven_control_panel.pdfIn PDF document text
- https://s3.amazonaws.com/mejigavukolu/free_islamic_name_numerology_calculator.pdfIn PDF document text
- https://s3.amazonaws.com/gudukupir/walaxunavupedananogow.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1cddc44a-b22c-4f61-b2ee-64ffc7a3eb48/66125687799.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00017134.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17134 | 41844 bytes |
SHA-256: ce6e4ed8bc576b6fab32d6585b97c3c07e58456b135c14a1d0df9c31c9c3ba5a |
|||
font_01_sfnt_off0001f18c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1F18C | 5456 bytes |
SHA-256: e23542fcdbc797a992cfbeb5e845a8b9365eaf9e6bea3a7ddbc1f97053ece7c5 |
|||
font_02_sfnt_off0002040c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2040C | 12368 bytes |
SHA-256: f9cc83edfe4c6de0b577c2a28689b1d45c1dddee37b2416651909851617263b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.