MALICIOUS
76
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF contains an embedded URI pointing to 'jumiwimov.ru', suggesting a phishing attempt to trick the user into downloading a file. The heuristic 'SE_LOLBIN_RUN_COMMAND' indicates the presence of a command line that includes 'curl', further supporting the download lure. The ML classifier strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/123?utm_term=file+from+url+without+browser
- https://cdn-cms.f-static.net/uploads/4451039/normal_600e48da0fc8a.pdf
- https://cdn-cms.f-static.net/uploads/4426813/normal_5fdc3a6f8d4f1.pdf
- https://cdn-cms.f-static.net/uploads/4488101/normal_6052e24deef2c.pdf
- https://cdn.sqhk.co/pulizojiwim/idcgiie/passcode_lock_screen_forgot.pdf
- https://cdn.sqhk.co/susotizakaxe/cKSgcTj/voduzimege.pdf
- https://cdn.sqhk.co/lofujumixas/JKsPnhg/ninja_jump_game_download_apk.pdf
- https://cdn-cms.f-static.net/uploads/4462379/normal_5fe9101ccf7d7.pdf
- https://static.s123-cdn-static.com/uploads/4463272/normal_5fddd20b6d267.pdf
- https://cdn-cms.f-static.net/uploads/4476432/normal_604646f94e60e.pdf
- https://static.s123-cdn-static.com/uploads/4379486/normal_5ffa27acabb95.pdf
- https://cdn-cms.f-static.net/uploads/4494433/normal_60379244e7900.pdf
- https://static.s123-cdn-static.com/uploads/4416661/normal_5ff3c6df114cf.pdf
- https://cdn-cms.f-static.net/uploads/4502819/normal_5fe7857e984f7.pdf
- https://static.s123-cdn-static.com/uploads/4403533/normal_5fece68e2e940.pdf
- https://cdn.sqhk.co/fabokofe/iwif8jc/82487767095.pdf
- https://static.s123-cdn-static.com/uploads/4369494/normal_6006bdcd17896.pdf
- https://cdn-cms.f-static.net/uploads/4481509/normal_601181e1de267.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://wanikokod.epizy.com/banque_de_france_recrutement_informatique.pdf
- http://mogopubu.epizy.com/chirutha_songs_free_320kbps_doregama.pdf
- http://liwununigu.epizy.com/58614795894.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001071d.bin56fe7847a1740a04c324918dfd39ce186f83677adb8429ccaaca70fdbf869e73 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1071D | 4984 bytes |
font_01_sfnt_off000117fb.bin6abedb81686250849ce02661af82250335dc2626e853dd478d8ee6d5e21fab3b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x117FB | 11340 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.