MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains an embedded URL that redirects to a site offering a "final fantasy 7 mod menu apk", suggesting a phishing or malware distribution lure. ClamAV and ML classifiers strongly indicate maliciousness, and the PDF_URI heuristic points to a suspicious external URL. No scripts were extracted, but the overall structure and embedded URL are indicative of a phishing attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://leonvi.ru/wix?keyword=final+fantasy+7+mod+menu+apk
- https://cdn-cms.f-static.net/uploads/4477886/normal_604ce5e73870f.pdf
- https://cdn-cms.f-static.net/uploads/4414701/normal_5fe7bcbdbabb1.pdf
- https://cdn-cms.f-static.net/uploads/4479679/normal_602f2f0260d99.pdf
- https://static.s123-cdn-static.com/uploads/4413842/normal_5ff93094d66ec.pdf
- https://cdn.sqhk.co/rolileduvof/ejgjbic/85748566829.pdf
- https://cdn.sqhk.co/segenapiza/hhqvbCI/poberotibodab.pdf
- http://fepaporipevari.mypressonline.com/4593079477.pdf
- http://xusolupofedowi.iblogger.org/24586395781.pdf
- http://dokinal.iblogger.org/77657897694.pdf
- https://cdn.sqhk.co/fedovipawe/l7ngjce/learn_html5_free_download.pdf
- https://cdn-cms.f-static.net/uploads/4471703/normal_6038fe275ff4e.pdf
- http://jojidasusesot.sportsontheweb.net/how_to_drain_swamp_cooler_for_winter.pdf
- http://ragitikevuwa.22web.org/51556480194.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://bobujosu.epizy.com/autotune_evo_vst_64_bit.pdf
- https://uploads.strikinglycdn.com/files/8c998fa6-d128-447d-af53-01c28f1e1d6b/how_to_connect_sony_soundbar_ht-ct290.pdf
- https://uploads.strikinglycdn.com/files/cd08ba54-ff11-4a0a-b69e-d5855b87c9ff/24230757866.pdf
- https://uploads.strikinglycdn.com/files/88e868de-6094-4b25-8e20-7c6837fa88a8/basic_spoken_english_course.pdf
- http://vusukunuvedigup.epizy.com/how_expensive_is_firehouse_subs.pdf
- http://bukaduxanob.epizy.com/little_red_riding_hood.pdf
- http://kewagar.epizy.com/the_redemption_of_althalus_characters.pdf
- http://nisinukodepafix.rf.gd/fiberiruleginatojisa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ee3a.bin28de60d4e1b267663e5a2d7d6411bfff2459123120747c77db8f11c5eec0abd8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEE3A | 5292 bytes |
font_01_sfnt_off0001004e.bin5acf8c7268883ab7ab1a9cbc5a52c415de7c94665049df00f77ee43cdc1d880c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1004E | 10452 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.