MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URL pointing to a suspicious domain, which is likely used to deliver a secondary payload or conduct phishing. The document body, though heavily obfuscated, appears to contain a lure related to a video episode title.
Machine Learning
- Nyx PDF Classifier malicious score 0.9969
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://smidgel.ru/pbw?utm_term=kasam+tere+pyaar+ki+full+episode+256 PDF link annotation
- https://giwaxevo.weebly.com/uploads/1/3/4/6/134644090/6506980.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4413848/normal_5fcc7bbb82aab.pdfIn PDF document text
- https://nagaleburanab.weebly.com/uploads/1/3/4/3/134379557/97b576a849112.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4384164/normal_600e424b8fc71.pdfIn PDF document text
- https://mibomawategufu.weebly.com/uploads/1/3/4/5/134584653/bakidorufowe.pdfIn PDF document text
- https://bezesigut.weebly.com/uploads/1/3/2/6/132681157/mudubojevogoxugimipu.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366384/normal_6041fea37d093.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369516/normal_6048a33e545a6.pdfIn PDF document text
- https://pujumisetuwu.weebly.com/uploads/1/3/4/5/134576336/4429889.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/08c27144-de31-4693-988a-b92ba5b2c94e/88114037738.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4a152b17-cdd5-4d59-905a-9bc7ae09c9f4/best_mod_for_silent_hunter_3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/acb8c962-93db-4c1b-a05e-ab43f2e62d97/why_does_my_bobbin_thread_keep_jamming.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e9ddf36d-42f4-48c6-b231-99df7c931d5b/39122795174.pdfIn PDF document text
- http://kufujibumufa.pbworks.com/f/8970029884.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e358d8ad-f32b-473d-9591-e591b39fda6d/12534548259.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b3806aa0-e83a-48ee-bc9a-4771c6333b15/what_is_the_best_breakfast_smoothie_for_weight_loss.pdfIn PDF document text
- http://foziwedugumu.pbworks.com/w/file/fetch/144465387/everyday_spelling_grade_6_answers.pdfIn PDF document text
- http://wijozuzapusa.pbworks.com/w/file/fetch/144436719/tezorunesawijex.pdfIn PDF document text
- http://jeselivid.pbworks.com/w/file/fetch/144486447/sisizutadavepa.pdfIn PDF document text
- http://vejivab.pbworks.com/w/file/fetch/144462384/microsoft_office_professional_plus_2010_activator.pdfIn PDF document text
- http://visetululiv.pbworks.com/w/file/fetch/144413427/95021529471.pdfIn PDF document text
- http://noxixap.pbworks.com/w/file/fetch/144426375/pdf_calendario_2020_mexico_para_imprimir_gratis_chile.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_007_off00024684.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x24684 | 18116 bytes |
SHA-256: f46ba9e927a6dac88b8dc50b58d55ad1a6b4cf87a55ab09dd8de699611c00c28 |
|||
font_00_sfnt_off0001f5dc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1F5DC | 5252 bytes |
SHA-256: 604adbad45626808641128f04d46f11595db57e363fe2b0dd7b6270bc57cb8b8 |
|||
font_01_sfnt_off0002080a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2080A | 5732 bytes |
SHA-256: 9b9b09e9dcc729039d9874a775c1f96db00542bb6090a835fdaefc63064305f9 |
|||
font_02_sfnt_off00021b8a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x21B8A | 13516 bytes |
SHA-256: 60ab7362998efed170c15a0c0cee7e67f7a19170306f5c09f65396913608006d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.