MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains multiple external URIs, with one pointing to 'xezojetit.ru', which is flagged as suspicious. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic and the ML classifier's high confidence score indicate a malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to trick users into downloading or visiting malicious content, aligning with a phishing or malware delivery scheme.
Machine Learning
- Nyx PDF Classifier malicious score 0.9970
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/123?utm_term=free+title+templates+for+premiere+pro+cc PDF link annotation
- https://static.s123-cdn-static.com/uploads/4481163/normal_5ff40e6c4c5cc.pdfIn PDF document text
- https://cdn.sqhk.co/lilaxikixo/YijzjgQ/magic_cups_and_balls_instructions.pdfIn PDF document text
- http://ribadubeko.scienceontheweb.net/trig_functions_of_acute_angles_worksheet.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4411512/normal_605c2bfae85c3.pdfIn PDF document text
- https://cdn.sqhk.co/baxorurifina/N7vjdGr/electrical_wiring_diagram_symbols.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4477409/normal_5ff8bb71c3dfe.pdfIn PDF document text
- https://cdn.sqhk.co/tigepukeri/XXwuIF9/baldi_s_basics_birthday_party_download.pdfIn PDF document text
- http://mibikazut.mypressonline.com/63958669171.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4472506/normal_6019487bdb7da.pdfIn PDF document text
- http://pukujadud.getenjoyment.net/84965268438.pdfIn PDF document text
- https://cdn.sqhk.co/ramejolir/idkjghi/christmas_delivery_slots_2020_m_s.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4412380/normal_60295298ea683.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://a3c35cc3-4a3f-4d41-ab51-8b3e4b114d30.filesusr.com/ugd/2b25b5_c68af235a5da48858218acac3b8caa67.pdf?index=trueIn PDF document text
- https://56db2a4d-09ce-4ff6-a558-abb1d6727cd4.filesusr.com/ugd/003b86_145152e489aa43b28406d8f64426f12d.pdf?index=trueIn PDF document text
- https://6c036dbd-b327-4678-b778-de8a2ee7bb50.filesusr.com/ugd/ed64d2_ac76d28bf71140eab56df255d64573e0.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/83128ca5-de39-45db-ac28-3e97990cb6b9/nupubenofogaloxeno.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0b4ded6e-41d3-4ce9-a560-28e06bf49a36/what_filter_for_samsung_refrigerator.pdfIn PDF document text
- http://liroporuki.myartsonline.com/maze_runner_cast_dancing.pdfIn PDF document text
- https://2225f16e-b6a0-48e2-a067-d7e802b71dd4.filesusr.com/ugd/a7ada4_5c77c672003a48849177b2d3bf3a797b.pdf?index=trueIn PDF document text
- https://56352102-112a-4456-a677-0775450c4ed3.filesusr.com/ugd/ed4e87_c3fe51c5bc8441b7b2e955563251d829.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6acc3760-bcc4-48aa-9378-9afbd132cd56/87120664261.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b04b3b22-6898-428c-b2cf-5fe50d12b56d/forged_by_fire_summary_chapter_14.pdfIn PDF document text
- https://51bf459c-6b46-41b0-863f-532cf8a77e0d.filesusr.com/ugd/2eedf1_778404dd410a437bb81934ec642ec3c9.pdf?index=trueIn PDF document text
- https://d0fd53c2-66a5-49f7-a942-a4bfc50892a3.filesusr.com/ugd/11baf9_230c35e2716940de9ddd0f1938cd0cb4.pdf?index=trueIn PDF document text
- https://44034db3-6cdd-4729-adf3-7ccd6afcf354.filesusr.com/ugd/9fe9cc_de1e3ba3dc97482d9cd4173ba4979de9.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6582a56f-13f3-421b-a36f-b45e5954292d/9204083137.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000110ef.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110EF | 5116 bytes |
SHA-256: 6752f621d1571b4c99ee52c33f5ff690cade1973f5627845443ae8b88f361e8d |
|||
font_01_sfnt_off0001223f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1223F | 10668 bytes |
SHA-256: bba7b4b936c08ae91fa68f850c7bdcd3959d861f6912d03ea3e638fdbebbafd1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.