MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF file was flagged by multiple heuristics as malicious, including a critical finding for brand-impersonation credential phishing targeting Amazon. It contains numerous external URIs, with a notable redirector chain leading to a PDF hosted on weebly.com. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://jakikoxu.weebly.com/uploads/1/3/1/4/131411542/2e9f61.pdf.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/123?utm_term=neato+xv-21+software+update+3.4 PDF link annotation
- http://zyzycheat8.xyz/videlanevavbwvrv.pdfIn PDF document text
- https://cdn.sqhk.co/juzosugun/gZwLsQb/31427747246.pdfIn PDF document text
- http://card2card-perevod24.site/44429947656wv2oy.pdfIn PDF document text
- https://jakikoxu.weebly.com/uploads/1/3/1/4/131411542/2e9f61.pdfIn PDF document text
- http://vudujupuboneg.22web.org/sejamorafafe.pdfIn PDF document text
- https://jinuwipalo.weebly.com/uploads/1/3/5/3/135332432/pajanedivatebaw_sugulodufi_jomixugowe_fefawifolugebiz.pdfIn PDF document text
- https://cdn.sqhk.co/sofopiro/jhhjFie/pocket_minecraft_seeds.pdfIn PDF document text
- https://nunofisodopuw.weebly.com/uploads/1/3/4/2/134234763/wagoguwikatedafa.pdfIn PDF document text
- http://setofexperience.site/pawaxikavifuxodigop7p.pdfIn PDF document text
- https://zeruposizagaki.weebly.com/uploads/1/3/4/8/134854722/ligokofigi.pdfIn PDF document text
- https://cdn.sqhk.co/wobimore/zjahihg/83203069130.pdfIn PDF document text
- http://salonop.xyz/tipos_de_sistemas_operativos7vjwr.pdfIn PDF document text
- http://sonoxusa.iblogger.org/farmville_2_launcher_by_zynga_installation_guide.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/0c54aa50-adf1-45dd-939a-f6ec2da9c9f7/does_apple_have_audiobooks_subscription.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3754cef7-dfac-4b09-a9e8-0d814ab14332/47380521309.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dfe2896b-b6ba-4d46-8555-ed69849f5f9c/42749582327.pdfIn PDF document text
- https://41c240d9-b4af-4f88-8fa4-2a41cce3a287.filesusr.com/ugd/01bc73_58c64ef2e60f44e39d95d0394164cc01.pdf?index=trueIn PDF document text
- https://2cc3dcad-61c1-4442-8662-ca5be7cd8672.filesusr.com/ugd/71b93f_a8a5ab14ae224200bfc2325879e0d068.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/3e32be10-88ae-4b10-a64d-dc56ce580180/what_is_steam_cycle_on_lg_washer.pdfIn PDF document text
- http://ruvatarojamun.rf.gd/sizuwuxutuxusununo.pdfIn PDF document text
- https://8fc1c2d6-49ba-4d63-8b95-0327ef2b1627.filesusr.com/ugd/1849a1_5c20557401564b1cb6ddd74ffe9c6079.pdf?index=trueIn PDF document text
- http://nebiviteg.rf.gd/tomigudupasimedas.pdfIn PDF document text
- http://monuwuvit.rf.gd/zegavexegeta.pdfIn PDF document text
- https://55963656-6eb1-4b25-bcd5-bb835d65808b.filesusr.com/ugd/0064ae_164b337474fc48b089e5bd6be78bf514.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e3b6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE3B6 | 5692 bytes |
SHA-256: 2117d0e00905ce7b555348f13737af2a213b11a15485c88bfadb54f1df7e0203 |
|||
font_01_sfnt_off0000f768.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF768 | 14380 bytes |
SHA-256: 05f3d885bb7d30dd885c497d6a5a6c7e8d01c5942c1df26d8f746c2a42dcd0d6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.