MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains a lure related to income tax declaration, which is a common tactic for phishing or malware distribution. It embeds numerous external links, including one to 'jottigo.ru', suggesting a link farm or redirection mechanism. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or trojan delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jottigo.ru/strik?utm_term=how+to+declare+income+tax+malaysia+2021 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4446635/normal_60502787d7d4b.pdfIn PDF document text
- https://xufevojulan.weebly.com/uploads/1/3/1/3/131384667/4914735.pdfIn PDF document text
- https://sudejija.weebly.com/uploads/1/3/5/3/135390998/nubuwedopuvesuzapona.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481663/normal_60663ecd2e111.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374022/normal_603eb9008a17f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4475853/normal_5fd1105679775.pdfIn PDF document text
- https://rutimupon.weebly.com/uploads/1/3/4/6/134629179/powumesev.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4424009/normal_606c584fb79a5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4462976/normal_6040dd74ad421.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374211/normal_6020fdedc1671.pdfIn PDF document text
- https://poxosuliw.weebly.com/uploads/1/3/1/3/131383655/77aa8622fa589d4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383703/normal_606bfd9df00c1.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476274/normal_5ff336c3b324c.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/3c998740-fe51-4880-8f6a-91b6380ef088/a_divine_revelation_of_hell_mary_baxter.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9e262023-e079-4484-a5d0-eb5b29764cc1/does_persona_5_royal_have_better_graphics.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/073c7e2c-f2b8-4355-bbb8-1c87b650f2e8/how_to_disable_function_keys_on_logitech_keyboard_k400.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8416a426-9220-442d-9b78-4167d645e87c/minecraft_download_pc_free_crack.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5bb86cec-1bf2-4b01-a849-fbf48ea3dcf2/nakejuxadogipewivinetule.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1efb2be3-5dbb-42f4-80a1-0bc6f2a00b94/5125432258.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dfad5a87-c8c9-47a3-b40e-35d41fb82da0/vorakalivalo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/143a909e-388d-4857-80d0-4fee41c4b1ba/63510818089.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e321cc63-4b56-4a44-9165-b0d20250f8f0/gapobefe.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dd3379ae-d5cf-44ca-8c7c-4779a2d5fa51/lotinoniko.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/83a5e57b-9f53-44bc-9a19-e1e6edc30be5/basic_christianity_john_stott_amazon.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000104a6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x104A6 | 5420 bytes |
SHA-256: 316a16900f8817c6939cb3a3e2c3f86f95d19b1a41b49c7a85f241d49f4dbf94 |
|||
font_01_sfnt_off0001170e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1170E | 11504 bytes |
SHA-256: 0660023944fb02e3703ceecc316810c4d7214666a24e074936b011d72e58e6a6 |
|||
font_02_sfnt_off00013e3f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13E3F | 4324 bytes |
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.