MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, specifically 'https://soxebez.ru/wix?keyword=ugadi+2020+chicago', suggests a phishing or credential harvesting attempt. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and dates, potentially part of a lure to disguise the malicious nature of the PDF.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/wix?keyword=ugadi+2020+chicago
- https://cdn.sqhk.co/kepilujofeje/Hidijhg/jio_meet_app_download_for_android_mobile.pdf
- http://matimomewojime.mypressonline.com/30860014599.pdf
- https://xokekujederal.weebly.com/uploads/1/3/0/9/130969763/vurutomusasoxig-kipukozen-kadup-voraxofovu.pdf
- https://cdn-cms.f-static.net/uploads/4469359/normal_602e31cab2151.pdf
- https://cdn-cms.f-static.net/uploads/4475380/normal_6011de3caabbc.pdf
- https://kidenido.weebly.com/uploads/1/3/1/6/131636891/faxitilurimaxe.pdf
- https://cdn.sqhk.co/nixivezez/fpgjfjh/scary_doll_fake_call_joke_download.pdf
- http://tifusavegapawuf.mygamesonline.org/personality_psychology_larsen.pdf
- https://static.s123-cdn-static.com/uploads/4385617/normal_5ff98e78ca1d0.pdf
- http://rujewazaxijaza.sportsontheweb.net/24928168769.pdf
- https://cdn.sqhk.co/zolilogifuxe/heckpjb/ludalukared.pdf
- https://cdn.sqhk.co/duravukikemo/nQPDdia/dozinejokegupalezoxija.pdf
- https://cdn.sqhk.co/zegofurop/ZRyZdnS/vinibexe.pdf
- https://cdn-cms.f-static.net/uploads/4443602/normal_601260e0e936e.pdf
- https://cdn-cms.f-static.net/uploads/4374978/normal_602ef1a339902.pdf
- https://pikoxujedogusu.weebly.com/uploads/1/3/4/6/134665618/vunirurotikuro-pakuwu-savima.pdf
- https://kasasifu.weebly.com/uploads/1/3/4/6/134697732/fikivuwebixulu.pdf
- https://zumuwezejulo.weebly.com/uploads/1/3/1/4/131455722/cdefa078.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/ada30f26-7f17-48c9-9ea7-02d358e9d22c/96708990537.pdf
- http://jopubijako.atwebpages.com/10423242481.pdf
- https://uploads.strikinglycdn.com/files/d665398e-e1df-48bd-b53d-d521d14f1e71/1368399276.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e193.bin3ebe9d3877c91bd75dc607b031868604a84e723ed9e1ea7e974b7525f6cf00f9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE193 | 5160 bytes |
font_01_sfnt_off0000f323.bin32ecae28e6dcaae9831b70d6b0257b03841e07d2115cbb72582c530de3a1b413 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF323 | 11020 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.