MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF contains a direct link to a Windows executable hosted on GitHub, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. This executable, 'setup-qtox-x86_64-release.exe', is presented as a software installer, likely to lure the user into executing it. The presence of this direct download link strongly suggests a malicious intent to deliver a payload.
Machine Learning
- Nyx PDF Classifier clean score 0.0155
Heuristics 2
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe
- https://github.com/qTox/qTox/releases/download/v1.17.6/setup-
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00001c94.bin0a224902da875fa6989b9d25aa58179e14bfcee37c1f5bac75214721c865db86 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C94 | 15536 bytes |
font_01_sfnt_off00004472.binc55552675356dba83b0c503968be1b309ec75bb92fcfc88dcf6ba72f496290d2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4472 | 12292 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.