MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF document flagged as malicious by a machine learning classifier and ClamAV. It contains an embedded URI pointing to 'mezovuduw.ru', which is likely a phishing or malware distribution site. The presence of a 'download button' heuristic further suggests a social engineering attempt to trick the user into downloading a payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/wix?keyword=remote+play+apk+latest+version+2019
- http://kulixebuvalafin.iblogger.org/john_deere_trs21.pdf
- http://gakagebir.mypressonline.com/44992750746.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_01294ee412124b2393a5dbb76d2e2985.pdf?index=true
- https://uploads.strikinglycdn.com/files/ce78161b-f8f3-401e-98fc-fd5c8c97bbca/62153428565.pdf
- http://vazojebimuvap.epizy.com/chori_chori_movie_1956_songs_free.pdf
- https://s3.amazonaws.com/lekizopiloref/22266449313.pdf
- http://zogojazaje.rf.gd/tofimudasabebefexotixa.pdf
- https://s3.amazonaws.com/fezenur/tofatuwovijuxitofobepu.pdf
- http://fidegaf.atwebpages.com/construction_building_inspection_checklist.pdf
- https://uploads.strikinglycdn.com/files/e285f9e5-0c05-451a-b026-7c8ae8e4b996/social_media_marketing_plan_definition.pdf
- http://barajolu.rf.gd/little_shop_of_horrors_full_cast_list.pdf
- http://mimelaketikapex.rf.gd/ge_dehumidifier_70_pint_repair.pdf
- https://e148473a-3d1a-46f8-b788-fbc1f5af68d4.filesusr.com/ugd/e1e70b_663c2a68df0147c08a15223d0dde2c26.pdf?index=true
- https://s3.amazonaws.com/jukoxisojow/60910239746.pdf
- https://uploads.strikinglycdn.com/files/e7512aab-ab49-478c-be74-a80da29d57eb/verukajobajix.pdf
- https://80b1f93a-fe74-4439-a81d-34814fa7a505.filesusr.com/ugd/e56fe2_aa80768453984ac1a54a585ae9c3417e.pdf?index=true
- http://mowigibimubepi.rf.gd/asus_b85m-e_br_bios.pdf
- https://uploads.strikinglycdn.com/files/8c247af8-b990-4c32-813e-7805f3a9fcca/57839088379.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f003.bin2c573af08a738c9667054201902a59c33eef5876d0102b187102e053267fbba4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF003 | 5680 bytes |
font_01_sfnt_off00010355.bin3fde5714cdbcba647098a2c53252494da7a9693d2ee65aede4ff5d6e2debaedd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10355 | 18832 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.