MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains an embedded URL that redirects to a malicious domain, disguised as a search result for exam questions. ClamAV and ML classifiers flagged this PDF as malicious, specifically as a phishing trojan. The presence of an external URI and the overall classification strongly suggest a phishing attempt to redirect users to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/aws?utm_term=six+sigma+yellow+belt+exam+questions+and+answers
- https://cdn.sqhk.co/gupimupiset/fjh9ie7/zombie_2_characters.pdf
- https://cdn-cms.f-static.net/uploads/4501037/normal_60407a6673ae2.pdf
- https://cdn.sqhk.co/pefisemise/gjhggjz/33897106387.pdf
- https://static.s123-cdn-static.com/uploads/4379969/normal_5fc664d1a6a3a.pdf
- https://cdn.sqhk.co/gusisitixinu/fgdBjbL/mortal_kombat_11_erron_black_guide.pdf
- http://kasiwewevono.iblogger.org/nupiwa.pdf
- https://cdn.sqhk.co/dubeminap/9KageeD/tegaxaje.pdf
- https://cdn.sqhk.co/xedogigiloli/jijduha/evolution_2_battle_for_utopia_mod_apk_data.pdf
- http://wojesukuzak.mygamesonline.org/is_there_a_riding_trainer_in_undercity.pdf
- https://cdn-cms.f-static.net/uploads/4460076/normal_6041b0bada080.pdf
- https://cdn.sqhk.co/fuwufupi/fghfcjb/swordman_reforged_mod_apk_2._0._61.pdf
- https://cdn.sqhk.co/gagupibi/xJogeig/the_art_of_war_sun_tzu_summary.pdf
- http://fukerijinexin.mygamesonline.org/how_to_use_a_marathon_wr50m_watch.pdf
- https://cdn.sqhk.co/sozodumupof/f4iimjg/super_smash_bros_crash_nds_download.pdf
- http://torixewiser.medianewsonline.com/2119563854.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/xoguwavosuje/99686496030.pdf
- https://s3.amazonaws.com/zalomi/jigiwobupoz.pdf
- http://zonidagaxa.epizy.com/small_merge_software_free.pdf
- https://s3.amazonaws.com/gisujubolidine/what_is_the_history_of_the_nutcracker_ballet.pdf
- http://gipuluzew.rf.gd/matematicas_financieras_valor_actual_o_presente.pdf
- http://xovimed.rf.gd/7522116417.pdf
- https://s3.amazonaws.com/tipikaxe/rotixugizuv.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e979.bind7aee468eeb0c3e8251fe56ed9a6330d737e5bf473ee7c7e37295ea46e272109 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE979 | 5776 bytes |
font_01_sfnt_off0000fd16.binba20825401d1bc0802e7963144ad48c0321ca4b1f489483e43fe8de56f48bb2d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD16 | 11420 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.