MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.007 JavaScript
The PDF file contains multiple external links, with a critical heuristic firing for 'Brand-impersonation credential phishing lure' impersonating Amazon. The document body, though heavily obfuscated, contains text related to 'money receipt book' and is generated by wkhtmltopdf, suggesting a potential lure. The presence of numerous external links, including a link farm, indicates a malicious intent to redirect users to potentially harmful websites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://jikevumuvovidu.weebly.com/uploads/1/3/4/3/134324483/3081619.pdf.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/strik?utm_term=how+to+write+a+money+receipt+book PDF link annotation
- https://jikevumuvovidu.weebly.com/uploads/1/3/4/3/134324483/3081619.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4374980/normal_5fca143d57a1d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4474719/normal_6069995f141f6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417208/normal_5fd88139a5d55.pdfIn PDF document text
- https://wutosalix.weebly.com/uploads/1/3/4/6/134635680/3081230.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383692/normal_603c27b753751.pdfIn PDF document text
- https://wupizesave.weebly.com/uploads/1/3/4/5/134581048/wasesuzejetivara.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4480758/normal_601ff05a813a1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4475729/normal_6057a3daaee2b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380068/normal_605c647e45554.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481285/normal_603a48e563e97.pdfIn PDF document text
- https://tubuzitobez.weebly.com/uploads/1/3/4/1/134108618/d901ba3456abb6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459059/normal_605ce370eee51.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4473656/normal_60301e4b16509.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/1c728a0e-fa57-48a8-a379-130de3dac0be/abu_garcia_pro_max_baitcaster_combo_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/158e0889-cf58-4cf6-b1f9-b7f622215547/zozogujikimowuzelepe.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c1a65e86-5513-4357-9974-adedeeeb4952/watchmen_hq_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/98ceb832-904c-48ec-abc3-ea1ffa9df8db/metaphor_definition_and_examples_sentences.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fab3deb6-3879-4255-93cd-c5e7b559b948/what_is_6_sigma_quality_level.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6be0cc4f-1f39-4c70-9d24-88cdef51af54/avaya_one_x_agent_2.5_13_download_free.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d95f172d-35ba-43bd-949c-6467f7c531cb/second_hand_law_books_for_sale_australia.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3be7dc19-c6ec-4c9e-bbc0-cb92e0450a2f/which_graphic_design_software_is_free.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/52b204c2-502f-4540-ae66-4b4b20a3426e/how_many_quarts_of_transmission_fluid_does_a_2002_ford_explorer_take.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00015b05.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15B05 | 5016 bytes |
SHA-256: 1b2d63b13e8c8e3a69da292558b6af03116daf0d0c7091f1bbb02a312283384d |
|||
font_01_sfnt_off00016c03.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16C03 | 11592 bytes |
SHA-256: 95b94925343a31067946ceee82c31cde5bf3b23fb4924a79553f9acc509313c4 |
|||
font_02_sfnt_off00019291.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19291 | 4324 bytes |
SHA-256: a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.