MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF document detected as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'https://dafemum.ru/123?utm_term=the+curated+closet+boutique', which is likely used for phishing or to download a secondary payload. The document body is heavily obfuscated and unreadable, but the presence of the malicious URL and the detection signatures strongly suggest a phishing or malware delivery attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/123?utm_term=the+curated+closet+boutique
- https://cdn.sqhk.co/tobepeliv/fYif2a9/drill_master_heat_gun_price.pdf
- https://static.s123-cdn-static.com/uploads/4413465/normal_6001fe3b6f87e.pdf
- https://cdn-cms.f-static.net/uploads/4407070/normal_601851b64933b.pdf
- http://pozesex.iblogger.org/bumelugiju.pdf
- https://cdn.sqhk.co/mujowofapubi/heM3gcJ/cnbc_make_it_instagram.pdf
- https://cdn.sqhk.co/levowexesu/gaje3Xp/nekoxuxevebagaget.pdf
- http://zekoselu.22web.org/york_diamond_80_furnace_filter_replacement.pdf
- http://lenulari.mypressonline.com/26430361020.pdf
- http://tesekal.mygamesonline.org/waduzufudejumebusofizaru.pdf
- https://cdn.sqhk.co/tetolonul/hHiaq4Z/jirudex.pdf
- http://fovikoxesaweziz.medianewsonline.com/73353711363.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://guxudapese.epizy.com/tagodetiruvogamag.pdf
- https://7e005a1c-fb68-43c1-af83-b854b6a2d282.filesusr.com/ugd/dcfb95_12dfd8e216144033b3b50505a095713a.pdf?index=true
- http://bibuxitagarilum.rf.gd/66950326541.pdf
- https://656adf98-7a81-40bd-8d0f-2b9c27d09201.filesusr.com/ugd/268ab1_c6fb1b7337a64395a9ad6b769638252d.pdf?index=true
- http://nuluwajewugutik.onlinewebshop.net/how_to_start_word_processing.pdf
- http://lisuxuzilim.epizy.com/68448694535.pdf
- https://69cf8a46-0d3d-4b71-8fd1-93df925da18e.filesusr.com/ugd/e4064d_e6f1317c8f624646a625e4f491c51bcc.pdf?index=true
- https://40785fcd-1e5e-4316-9306-5db1d5795eae.filesusr.com/ugd/2f07a1_6ea2ae292c0a4dd78db0e52ac2bdeced.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d24d.bince1cec4c3c91ff2b46c0d24489938755fbdeae0ced6118ed9bffd56619e0369e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD24D | 5240 bytes |
font_01_sfnt_off0000e40d.bindf0f35bd032e95288a8e7b839a7f525904d5ea659ee8d4b081b665e54846559d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE40D | 11052 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.