MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://zajinet.ru/wix?keyword=high+five+ghost+tattoo', which is likely a lure to a phishing site or a download server. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/wix?keyword=high+five+ghost+tattoo
- https://cdn.sqhk.co/bitomasijelo/ijemJif/navipagavegower.pdf
- https://subilitukufune.weebly.com/uploads/1/3/4/6/134629352/duseponimeb.pdf
- http://miravozexafoxiw.iblogger.org/how_to_fix_a_maytag_centennial_washer_that_wont_spin.pdf
- https://cdn.sqhk.co/rovifatira/fGic3jh/tik_tok_video_downloader_no_watermark.pdf
- http://xusibuvuzos.22web.org/larsen_and_toubro_finance_annual_report.pdf
- https://firerokuk.weebly.com/uploads/1/3/1/1/131164187/6905217.pdf
- https://cdn.sqhk.co/xovepejegosi/1MXahir/rotation_control_on_iphone_8.pdf
- http://vidapabil.22web.org/17516579677.pdf
- https://cdn.sqhk.co/joxonorapa/ggHiigd/fubenimesumeli.pdf
- https://purusexubike.weebly.com/uploads/1/3/4/0/134000510/d84cc7c98048.pdf
- https://kanemonel.weebly.com/uploads/1/3/5/3/135319287/1088332.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://kimibixapi.epizy.com/al_quran_english_version.pdf
- http://tenurusimuxu.epizy.com/masterarbeit_informatik_anforderungsanalyse.pdf
- http://dokulokuk.epizy.com/gapevazapijavibi.pdf
- https://uploads.strikinglycdn.com/files/62989acc-8a8a-4359-8e7b-d9bb3bb1c177/jipojol.pdf
- http://rakojuk.epizy.com/xevopozoga.pdf
- http://kugovede.epizy.com/97592823836.pdf
- https://uploads.strikinglycdn.com/files/937e4ea6-a6e7-4c60-b253-7437a1493bd4/minn_kota_ulterra_trolling_motor_-_auto_deploy.pdf
- https://uploads.strikinglycdn.com/files/a5b00e92-0e0c-41e6-842c-41d9dca739c3/romeo_juliet_tamil_movie_cut_songs_download.pdf
- http://wibukosumasej.rf.gd/39727311041.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e4da.bine7306ac75c17398a4073847246b6b2665eb80d75b56aa8d51d7ac576090ea1b3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE4DA | 4924 bytes |
font_01_sfnt_off0000f5ac.bin285a31d5ab1bb15b556693368d3b12485f5479c2a5de50d68d0151f9046cdd93 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF5AC | 10564 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.