MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a lure related to 'mystic messenger hack 2020' and embeds an external URI pointing to a suspicious domain. The presence of a 'Password-protected archive handoff' heuristic suggests the document may be designed to trick users into downloading an encrypted payload. ClamAV detection further confirms its malicious nature.
Machine Learning
- Nyx PDF Classifier malicious score 0.9897
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/wix?keyword=mystic+messenger+hack+2020
- https://jaloteke.weebly.com/uploads/1/3/4/0/134096083/1389657.pdf
- https://nodifolosorak.weebly.com/uploads/1/3/4/7/134758422/7193212.pdf
- http://mon-cmbretagne.best/73693452447jmvju.pdf
- https://nurosizakudagag.weebly.com/uploads/1/3/4/6/134699554/vobijo_megal_bawufimo.pdf
- http://tramlaweq.online/lady_macbeth_full_movie_download_in_hindiftxyn.pdf
- http://verenewesukifed.22web.org/amaravati_kathalu_free.pdf
- https://tizidebiwefixim.weebly.com/uploads/1/3/0/7/130739379/kiwimetaba-xatar.pdf
- http://meriline.store/political_philosophy_simple_definitionu4jt3.pdf
- http://rukafijawidataw.iblogger.org/pojuratifelor.pdf
- http://sexugaweguko.iblogger.org/definition_of_morphology_in_linguistics.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://00c0516a-c822-4344-a779-6f74e039753d.filesusr.com/ugd/9e41f0_92ed2e3e6a9341e983758cbe26e8e667.pdf?index=true
- https://acd80754-3b70-42c6-a60f-3489f6261da4.filesusr.com/ugd/f1780b_dcf4449f24f64ac6a0c1a36158ade6bc.pdf?index=true
- http://kojodidekojamu.rf.gd/aptitude_test_tricks_and_tips.pdf
- https://77da94c0-0f0a-445b-87af-e489a0b5ef66.filesusr.com/ugd/db1da1_4416d453c1094e1e8e495ac2570c787c.pdf?index=true
- https://uploads.strikinglycdn.com/files/e385872f-66f9-464c-b80d-d070f7c342f8/craftsman_3x21_belt_sander_manual.pdf
- https://c064424b-11a8-4e39-a524-24a74bcd733d.filesusr.com/ugd/54e393_5c5763b1d4f54844a68541efc3728b6a.pdf?index=true
- https://1527c8d3-3321-4e9f-872f-e2bebb57bac2.filesusr.com/ugd/bf2d42_744261ba2b244b39b682cb43cf97138c.pdf?index=true
- https://e4fb9bf1-a3d6-4767-9bf2-2a1021e5dc09.filesusr.com/ugd/53cfc7_1a7fd5b57c904b89822d6028397cbc4a.pdf?index=true
- https://926da24b-d3df-4aea-ac1b-ebdf7359a9e7.filesusr.com/ugd/fef925_d2aeec1f43f341718c84d37a0a871371.pdf?index=true
- https://47e4df30-8702-49a4-8bd5-327e1546ff06.filesusr.com/ugd/379272_bccafc3857b44d098f53de3bee22a820.pdf?index=true
- http://solatilexi.epizy.com/wozovafuf.pdf
- https://uploads.strikinglycdn.com/files/e7adb72b-954d-457b-ba43-9e52995b5f95/preposition_practice_7th_grade.pdf
- https://uploads.strikinglycdn.com/files/cd197584-e7c1-46ad-bdae-ed16f4c2c052/verbos_regulares_en_ingles_con_pronunciacion.pdf
- https://uploads.strikinglycdn.com/files/0f14603a-a884-4dac-bf98-776bd0dd6363/ginotafekijetesenosasuga.pdf
- https://uploads.strikinglycdn.com/files/4732351e-6b56-48ef-9930-4ef94e3fb4ba/android_application_development_tutorial_in_hindi.pdf
- https://59b17237-83b3-47c6-9d40-f547da5b0434.filesusr.com/ugd/827194_205e145f049c4ddab2fd89c1c7667344.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://savannah.gnu.org/projects/freefont/
- http://www.gnu.org/licenses/
- http://www.gnu.org/copyleft/gpl.html
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fc57.bin7a8f2bd0224f37515a0952ce43a210339a4aca2d7ff4cab2776e95f759e6b577 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC57 | 7132 bytes |
font_01_sfnt_off00010e79.binf2dde4c1d43a8f77989f9736713092c3e979a2c6ad916d4310ad35ef3f890275 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10E79 | 5624 bytes |
font_02_sfnt_off00012178.bin5a58c01de89bc74a699b67621262d09244203ca34a7e193eac24768b39d01851 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12178 | 4108 bytes |
font_03_sfnt_off00013169.bine5ea07f2083d0ea353a821c28a95e66d967aea9593d08e1a44df6b65d062ac69 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13169 | 11416 bytes |
font_04_sfnt_off00015888.bin7947bdf96a9dbdfcb7444b8d1e661a60fd8de6cfece6fb185cdd9bc5f709d322 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15888 | 16320 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.