SUSPICIOUS
50
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0072
Heuristics 3
-
Clickable URL embeds a recipient email address as a tracking parameter high PDF_URL_RECIPIENT_EMAIL_PARAMPDF has a clickable HTTP(S) action whose URL carries a recipient email address as a query parameter (e.g. '?e=victim@example.com') on a host that is not known-good. Phishing kits stamp the target's address into the link so the landing page pre-fills the credential form and tracks the open per recipient; a delivered legitimate link rarely carries the recipient's address in cleartext. Complements PDF_URL_MAILMERGE_PLACEHOLDER, which catches the unrendered token.
-
External URI low PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://hakumonkai.org/fukkou/ref.php?url=https://vets4pets.nz/public/go.php?email=jurgita@profinas.lt PDF link annotation
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
🗂 Part of campaign:
shared payload 99ad8546da
13 samples
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00000bc2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBC2 | 19056 bytes |
SHA-256: acdf39381c9f619c8cd0e7a13b413db5df5f115d1bd440f0507143cd74b612a0 |
|||
font_01_sfnt_off000032de.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x32DE | 15892 bytes |
SHA-256: 99ad8546dad29e7bf686b854933af3e4868c1b561453de5b001ef0244aae4174 |
|||
font_02_sfnt_off00004dcc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4DCC | 13532 bytes |
SHA-256: d9b7e4694a62f4cc2dc10cb17c4d45e5943b9ae0da3fc96fd732b2b28ab45ce4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.