MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains embedded URLs and is flagged by ClamAV as a phishing trojan. The ML classifier also strongly indicates maliciousness. The primary malicious URL, https://lozipotod.ru/strik, is likely used to deliver a secondary payload or redirect the user to a phishing site. No scripts were extracted, but the presence of malicious URLs and the ClamAV detection strongly suggest a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://lozipotod.ru/strik?utm_term=how+many+types+of+valves+pdf
- http://nonowun.mywebcommunity.org/how_to_remove_bonaire_evaporative_cooler_pads.pdf
- http://gedatidigog.sportsontheweb.net/95500874454.pdf
- http://fojenuf.iblogger.org/hiperplasia_prostatica_benigna_definicion.pdf
- http://ribadubeko.scienceontheweb.net/trig_functions_of_acute_angles_worksheet.pdf
- http://gufurebu.medianewsonline.com/xaxuto.pdf
- http://fajutixosisi.22web.org/bodybuilding_schedule_for_beginners.pdf
- http://bulubuzigajuzar.getenjoyment.net/30968772640.pdf
- http://taforojujutusig.mygamesonline.org/fakufenato.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://d4180a97-8dd0-4bf1-9e2f-d1b128d1a64d.filesusr.com/ugd/ae059d_8431f4bbc492439081309893fa7bee57.pdf?index=true
- https://s3.amazonaws.com/mejigavukolu/50231770556.pdf
- https://a52dd608-e7dd-4d50-8005-e0fd7a3896b4.filesusr.com/ugd/43d2fc_9374a9b8df1643cab3669f164147c1f1.pdf?index=true
- https://4fdc5cb1-0646-4ed0-9ac1-f9332ff2c333.filesusr.com/ugd/9b9480_4a14eec33f7247d3a777cfb421892384.pdf?index=true
- http://zorijefugixor.atwebpages.com/how_do_you_put_the_tape_in_a_brother_p_touch_label_maker.pdf
- http://lurorozowuwa.rf.gd/in_vitro_antioxidant_activity_of_plant_extracts.pdf
- http://zerowedepuwetif.epizy.com/takimerokase.pdf
- http://kofupugixujodin.epizy.com/38819490337.pdf
- http://vowukuzu.rf.gd/bestiario_portugues.pdf
- https://d896c2b7-539c-4146-aa8a-b39d26e096d8.filesusr.com/ugd/a98ecc_b97a8537f6f548aba2eea2086390291a.pdf?index=true
- https://s3.amazonaws.com/xutomoxu/punanuzulusavovom.pdf
- http://lulawutereb.rf.gd/apostrophe_worksheets_for_grade_4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e875.bin3e6843f33beeea2053815f7a3cfde8ab7be0b565daa409b7eb47e8712ba17772 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE875 | 5308 bytes |
font_01_sfnt_off0000fa8d.bin35ad024ad6114ffe17a68280a8c7ad2e698dd978fb45bb80f2d5132a05365cf1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA8D | 10248 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.