MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
This PDF document is identified as malicious by ML classifiers and ClamAV. It uses an SEO redirector to a URL that likely serves a malicious payload, disguised as a free download. The document also contains a lure to execute commands via copy-pasting into a shell, indicating an attempt to trick the user into running arbitrary code.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/123?utm_term=aws+mysql+performance+insights PDF link annotation
- http://covid-19online.site/burning_spear_all_songsplua0.pdfIn PDF document text
- https://cdn.sqhk.co/zewumirapeb/0JhaifO/28566652659.pdfIn PDF document text
- http://kimiter.medianewsonline.com/cutting_edge_elementary_third_edition_download.pdfIn PDF document text
- http://juzufezike.mygamesonline.org/mathematical_reasoning_examples.pdfIn PDF document text
- http://fotubobuwenapu.scienceontheweb.net/runobozekoje.pdfIn PDF document text
- https://cdn.sqhk.co/gowamojon/5JLiceg/57503686098.pdfIn PDF document text
- https://cdn.sqhk.co/lexijunibul/heRtcsv/listening_processing_disorders.pdfIn PDF document text
- https://cdn.sqhk.co/zepigelona/jbZC2mO/26545224261.pdfIn PDF document text
- http://oneshops.space/xodejupazogilikinajelddyt7.pdfIn PDF document text
- https://cdn.sqhk.co/vimexuda/xggbihg/27704178498.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/xoxaneral/83541358502.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/22183ef1-a18e-4593-b51a-83be2efcc594/woleduzerodupojomibosapa.pdfIn PDF document text
- https://s3.amazonaws.com/sizadagazagaj/88347820008.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b037a218-786f-472f-9f09-0a08ef759dc8/how_to_lower_a1c_and_glucose_levels.pdfIn PDF document text
- https://s3.amazonaws.com/xijalovelokolep/51900456466.pdfIn PDF document text
- https://s3.amazonaws.com/juliziwojatige/jikowezesabosanode.pdfIn PDF document text
- http://dipagepe.atwebpages.com/32978375513.pdfIn PDF document text
- https://af1bea64-f5cd-41c2-a7c1-97f21c1aa057.filesusr.com/ugd/592671_ecfdb08f38ef418da6342ce49e6e303c.pdf?index=trueIn PDF document text
- https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_f29b6be8d50a4dad84072a60b5f1d5d9.pdf?index=trueIn PDF document text
- https://469ee322-798e-4c1d-9571-af6764901f97.filesusr.com/ugd/57169b_3dd1ed30d5f94300b5e2caa618c6f987.pdf?index=trueIn PDF document text
- https://3176e400-c268-4dc0-8d69-08eae86937f8.filesusr.com/ugd/ea2f88_32feeb1cff3c4ed9a226a3b7cf03f1aa.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/wajibile/gurnam_bhullar_punjabi_song_mp4.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eed5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEED5 | 5736 bytes |
SHA-256: 9ff9b750e5c01b96e41154d2f8b734a8b452eadecfbd794e93197e3c8f070e19 |
|||
font_01_sfnt_off0001024c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1024C | 11276 bytes |
SHA-256: a5cf109a40057cd0eed0fedd4e026fad3fc61d0f2389afa0d2f74e84fb05af62 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.