MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. It contains an external URI and an image lure pointing to a redirector URL, likely intended to trick users into downloading further malicious content or providing credentials. No scripts were extracted, but the PDF structure and heuristics suggest a phishing attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
QR-code redirect lure medium SE_QR_LUREDocument instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/123?utm_term=annual+report+ais PDF link annotation
- https://cdn-cms.f-static.net/uploads/4499329/normal_5fd3da1cd389d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4482230/normal_5fee814d07fa8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415930/normal_604d35c283be9.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4403565/normal_5ff6adc856710.pdfIn PDF document text
- http://sozaxesugoj.mywebcommunity.org/59475243677.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454426/normal_5fda471f23679.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366063/normal_601dc97970409.pdfIn PDF document text
- https://cdn.sqhk.co/befozaxulot/RghvJgh/bovoxabuzomew.pdfIn PDF document text
- http://zizodoroluxonaf.sportsontheweb.net/gozikum.pdfIn PDF document text
- https://cdn.sqhk.co/xawobovuji/Kgjhg1h/smartthings_camera_recording.pdfIn PDF document text
- https://cdn.sqhk.co/sugumujozik/hgd0l2A/80426710641.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4500911/normal_5fcfb41251062.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/26f9a57d-3008-4ff9-9097-80ddd7381967/interior_design_schools_in_los_angeles_ca.pdfIn PDF document text
- http://xuxalonitu.onlinewebshop.net/what_are_the_signs_of_the_book_of_revelation.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c6a074d2-8eff-4b11-8b21-917f467f9425/73097999347.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/61263f35-692d-454b-ae9e-f2cffec4a1b8/fijulon.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3b59c471-882e-4937-8c36-e09c6b37b803/mojivudimodijamak.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/93cd5368-fbdf-4c2e-a4b8-bec68533d026/grill_cover_that_fits_weber_spirit_210.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/73404220-fbfd-4526-a3ce-5e9a0bb45619/how_to_set_tax_rate_on_casio_ms-8tv.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/57c48407-376e-4ac9-b19b-b45ad5929b1f/28737364546.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c7fddae7-e1d7-42d9-b753-d062229f1b2d/13722978886.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1d722ecb-c7b4-4dae-95e2-f3b41b390379/batman_death_in_the_family_interactive_movie_stream.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e30e5f36-bca2-467a-bc52-3fd4841a9ca9/rejubiku.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e228.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE228 | 4800 bytes |
SHA-256: d8b5ce0f3935c8a0becb7566c7aa7c4bc4aff016d5d827684bc4b02789f2a28e |
|||
font_01_sfnt_off0000f284.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF284 | 11176 bytes |
SHA-256: 080782dd16aa79ddc76d4c4d7f8160f2aa18364dc8b0fbd399d7363f207a9495 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.