MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate it uses a remote-support tool lure and a callback phishing lure, suggesting a social engineering attempt to trick the user into installing or interacting with malicious software. The embedded URL points to a suspicious domain, likely serving as a download source for a secondary payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Remote-support tool lure high SE_REMOTE_SUPPORT_LUREDocument instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/strik?utm_term=creader+professional+crp123+codes PDF link annotation
- http://krokoboko3.xyz/lagune_1_kursbuch5r72d.pdfIn PDF document text
- http://cpskras.website/husqvarna_460_rancher_user_manualvhu1k.pdfIn PDF document text
- http://com-servers.online/how_does_manual_dexterity_affect_performance_activityohbe0.pdfIn PDF document text
- http://gravkamen.ru/avast_antivirus_pro_2019_apknyrc6.pdfIn PDF document text
- http://jurabosuw.22web.org/xatirolamijedafuboji.pdfIn PDF document text
- http://jixaravaxagisuf.22web.org/22633918994.pdfIn PDF document text
- http://abwaab.su/bootstrap_themes_free_for_html56rwl8.pdfIn PDF document text
- http://nanolenka.xyz/nalinirosobaku4g56u.pdfIn PDF document text
- http://inostrana.com/damimafitapeloxotumavia016.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/memobofilenabon/my_rainbow_fairies_collection_book.pdfIn PDF document text
- https://ff0b3df2-dc61-4aeb-9024-93fa9b5bc175.filesusr.com/ugd/aa14a9_26df4e46f9164d799ce95e42bed667cb.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a7281006-3186-44c0-9126-222e33879f5e/mudapepakeriguloliwe.pdfIn PDF document text
- https://s3.amazonaws.com/fadupazageraf/chocolate_cake_nutrition_information.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/726af0ac-4f2d-47b6-83f9-0aad4e8b952c/best_oil_heaters_for_large_rooms.pdfIn PDF document text
- http://begilokikilox.rf.gd/the_new_monkey_king_season_2_cast.pdfIn PDF document text
- https://676a7a22-5bec-432e-92e0-9d4a0a27851c.filesusr.com/ugd/a1fb72_7f3cbd0a82084d5d8a4f8bf78c227617.pdf?index=trueIn PDF document text
- http://tivogowajap.epizy.com/17190585300.pdfIn PDF document text
- http://sumidemeg.epizy.com/french_in_action_textbook.pdfIn PDF document text
- https://s3.amazonaws.com/woxorojero/jerakefubebo.pdfIn PDF document text
- https://s3.amazonaws.com/gafedupeba/is_the_bounty_hunter_code_canon.pdfIn PDF document text
- https://s3.amazonaws.com/fuwuzerijofa/dapajizoluloxivobexu.pdfIn PDF document text
- https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_92f68dfcb2fd413d9f7c3567ca31e179.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000185b9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x185B9 | 3212 bytes |
SHA-256: b09a5f6553321b8238e29f7cbd8e65cfb616a446cffe9caa6845d43b93dbdc28 |
|||
font_01_sfnt_off00019128.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19128 | 5404 bytes |
SHA-256: 5db0d5cf87fb52a51905b2035b7322d88af0d472455f4ee76fe41038daf1ce67 |
|||
font_02_sfnt_off0001a399.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A399 | 13300 bytes |
SHA-256: 178757b65f52348e2f8b3c234a87554ac59c58211b231b01d70e76055001b814 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.