MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and ML classifiers indicated a high probability of maliciousness. An external URI pointing to 'dafemum.ru' was extracted, suggesting a phishing or malware distribution attempt. The document body contains obfuscated text, and the file was authored by wkhtmltopdf, often used to generate malicious PDFs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/wix?keyword=myteam+locker+codes+twitter
- https://static.s123-cdn-static.com/uploads/4366324/normal_5fcf9a17e3810.pdf
- https://cdn.sqhk.co/tefulobesa/hiihngj/6047410797.pdf
- https://cdn-cms.f-static.net/uploads/4499635/normal_602164f1ac7c1.pdf
- https://cdn.sqhk.co/buzovegom/jigeiji/9642650765.pdf
- http://xoxuvajes.mywebcommunity.org/75319097261.pdf
- https://cdn.sqhk.co/sokulutesi/rbjdEkG/galaxy_defenders_review.pdf
- https://cdn.sqhk.co/josurowelimu/iahjbgi/zolikew.pdf
- https://static.s123-cdn-static.com/uploads/4385410/normal_5ffad00368f95.pdf
- https://cdn-cms.f-static.net/uploads/4476437/normal_60443df179ea3.pdf
- http://trydouche.xyz/zopibiwilinidoxozarenikeks6ux.pdf
- http://sale-siberian-force.online/57309642876a7eti.pdf
- https://cdn.sqhk.co/bimonabozo/GjbUMjh/poweramp_equalizer_settings_2018.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://ad9f1622-e3b7-49db-bfef-326c48fb2104.filesusr.com/ugd/a467d2_1f279ba52f0b44aba8e407b91782042a.pdf?index=true
- https://uploads.strikinglycdn.com/files/f32d1b55-0967-4348-83e0-421342f070d9/is_blink_charging_worth_it.pdf
- http://kikanelomer.onlinewebshop.net/gulosuvazoxuvivulodifaz.pdf
- https://452af6f2-15a9-4b4c-bbab-52387d8fb70f.filesusr.com/ugd/b5472a_6647a27ff654488f8303db1840c1a61f.pdf?index=true
- https://33b7cf8b-1cb2-46d9-9063-17e97cba5e80.filesusr.com/ugd/9edd50_aa3f0c03739547cdbfaf1c3f5c50e45e.pdf?index=true
- https://uploads.strikinglycdn.com/files/d4f76ddb-65df-4302-8f3d-4d0bbda5dbe3/the_merchant_of_venice_short_summary_act_1.pdf
- https://40785fcd-1e5e-4316-9306-5db1d5795eae.filesusr.com/ugd/2f07a1_3ced8e143c4d4d17bc90c92e052fd4e6.pdf?index=true
- https://61090d85-22e6-4724-b969-52a17785150c.filesusr.com/ugd/952c2e_03501bf3442b4cc68c37d9331b506e9a.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c7e4.bin2c5efc00be38f6babaa070f0a02a2cd7235a96402703b0c815e24d11c49df5e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC7E4 | 5348 bytes |
font_01_sfnt_off0000da20.bin542cb75759118c44e5bb2f27f769c2b14e960467dfa4e95ab2db5b4175eb4d3c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDA20 | 9232 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.