MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The heuristic 'SE_INVOICE_LURE' indicates the document's content is designed to resemble an invoice or payment request. An external URI, 'https://zajinet.ru/strik?utm_term=how+to+add+fonts+to+wix+site', was extracted, suggesting the document's purpose is to redirect the user to a malicious site, likely for further exploitation or credential harvesting.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/strik?utm_term=how+to+add+fonts+to+wix+site
- https://static.s123-cdn-static.com/uploads/4418981/normal_5ffdc32db77c3.pdf
- http://love-cosmetics.shop/ronugufuguakzm.pdf
- http://quickstore.pro/love_island_game_season_3_first_challenge_answers1ppsk.pdf
- https://cdn-cms.f-static.net/uploads/4492586/normal_60395dbab18c2.pdf
- https://cdn.sqhk.co/bigulikexupa/TgdbdS6/xozinovovajabofomawudo.pdf
- https://static.s123-cdn-static.com/uploads/4446395/normal_5fcd0c812b860.pdf
- https://static.s123-cdn-static.com/uploads/4372721/normal_5fc9f8b47ebbf.pdf
- https://cdn-cms.f-static.net/uploads/4380226/normal_5fe98a7b15d23.pdf
- https://static.s123-cdn-static.com/uploads/4422390/normal_5ff0cc067d071.pdf
- http://accface.in/king_herod_jesus_christ_superstar_alice_coopersc2g3.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/40b91cbf-0dba-4497-ae54-d47a35fee5de/google_chrome_delete_search_bar_history.pdf
- https://uploads.strikinglycdn.com/files/685379de-d70e-423b-b0f3-fb890bf7ab54/arguing_about_literature_a_guide_and_reader_3rd_edition.pdf
- https://uploads.strikinglycdn.com/files/6089f83d-7c41-42b5-b107-50163da43301/korg_microkorg_analog-modeling_synth_vocoder.pdf
- https://uploads.strikinglycdn.com/files/67b48d19-ec6c-40d0-808c-4b757020bf61/22162644548.pdf
- https://s3.amazonaws.com/nagudo/93980667357.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f952.bin1eb45983b25e2dfbecc8ac7b833cf92527160ee7a2c4c84d65060428e4dad7b0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF952 | 4896 bytes |
font_01_sfnt_off00010a27.bin1255bd1f4e3614351d2a8c1fd26d6bb42367d9724d679d71b4b973e570b88bc5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A27 | 11304 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.