SUSPICIOUS
50
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0072
Heuristics 3
-
Clickable URL embeds a recipient email address as a tracking parameter high PDF_URL_RECIPIENT_EMAIL_PARAMPDF has a clickable HTTP(S) action whose URL carries a recipient email address as a query parameter (e.g. '?e=victim@example.com') on a host that is not known-good. Phishing kits stamp the target's address into the link so the landing page pre-fills the credential form and tracks the open per recipient; a delivered legitimate link rarely carries the recipient's address in cleartext. Complements PDF_URL_MAILMERGE_PLACEHOLDER, which catches the unrendered token.
-
External URI low PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://hakumonkai.org/fukkou/ref.php?url=https://vets4pets.nz/public/go.php?email=c.dolan@iresreit.ie PDF link annotation
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
🗂 Part of campaign:
shared payload 99ad8546da
13 samples
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00000bbf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBBF | 18904 bytes |
SHA-256: 4c45fc5b9243a8a9d5c082a564769cdf225e505ed1eedc16d228b14fd9fbd4cf |
|||
font_01_sfnt_off00003290.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3290 | 15892 bytes |
SHA-256: 99ad8546dad29e7bf686b854933af3e4868c1b561453de5b001ef0244aae4174 |
|||
font_02_sfnt_off00004d7e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4D7E | 13532 bytes |
SHA-256: d9b7e4694a62f4cc2dc10cb17c4d45e5943b9ae0da3fc96fd732b2b28ab45ce4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.