MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URL that redirects to a download lure, disguised as educational worksheets for kindergarten. The presence of PDF_SEO_UTM_REDIRECTOR_LINK heuristic further supports the phishing lure. No scripts were extracted, but the embedded URL is the primary indicator of compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/123?utm_term=cardinal+direction+worksheets+for+kindergarten PDF link annotation
- http://pokovata.scienceontheweb.net/zaletolululatefugode.pdfIn PDF document text
- http://gilumesu.mypressonline.com/hernia_hiatal_dieta.pdfIn PDF document text
- http://zisapawiwako.mypressonline.com/anarchy_state_and_utopia_nozick.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413375/normal_600a5b27d47de.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4393359/normal_6008acc9ead5f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476939/normal_602ce2c993891.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489032/normal_60153a9c9bfd7.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/bf6348be-51cf-47ff-9a0f-106bf70492b2/negadopawawefogabed.pdfIn PDF document text
- http://lopafulobitap.atwebpages.com/el_capitalismo_karl_marx.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6af05f0b-b7a1-46e6-bd2f-cfbfa34ef579/boy_scouts_of_america_job_posting.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1c40d182-15b6-4289-901d-bc43cb463864/4087540118.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97266016-eb3d-4d61-b2fc-889568bff3cd/rapujoxexazoxafelujofax.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c9378ccf-b43b-4c84-8acf-9229fdc25d44/how_to_reset_zmodo_camera.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1cd29f31-a772-48a8-8a1f-445cac14dc3f/craftsman_garage_door_opener_1_2_hp.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/349650de-5b58-45d9-a2ec-b89b082cf037/27396349044.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/65a17d6c-4c1c-4d3d-a349-c5031ef13c30/thank_you_lord_for_loving_me_hymn_lyrics.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/47b72487-ea5c-4372-870e-3e61aeea5c1c/37441396154.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e9d2480-b712-470e-8ac1-424f643fdba3/dometic_ccc2_thermostat_wiring_diagram.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/91a3eac5-abee-432d-b32f-6444a2f0eae1/wd_my_cloud_usb_supported_file_system.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cd289dc0-6a1e-411b-a013-9dfe10ed3515/kusugalifepetomizade.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/838e3f76-7432-4d3d-8fc2-30d853c96c36/diccionario_espaol_en_descargar_gratis.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e1bb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE1BB | 5344 bytes |
SHA-256: 3f8659525e11380b03bc7c576f940d6ecdffd7694d1858e064139d1af1c1f8c6 |
|||
font_01_sfnt_off0000f3f5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3F5 | 10908 bytes |
SHA-256: f6dd064ce0b8bb1d15685364d67afcb174a7712640bcfaea4dc157a8398e3efa |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.