MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged by multiple heuristics as malicious, including credential phishing and a link farm. It impersonates McAfee to lure users into clicking a link that leads to a redirector, likely to download a second-stage payload. The presence of embedded URLs and the ML classifier output strongly indicate a phishing attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://taxurazuzar.weebly.com/uploads/1/3/4/0/134042721/5a7287f.pdf.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=hack+avast+free+antivirus+license+key+2020 PDF link annotation
- https://taxurazuzar.weebly.com/uploads/1/3/4/0/134042721/5a7287f.pdfIn PDF document text
- https://digokevun.weebly.com/uploads/1/3/4/7/134747151/jozotovatejas.pdfIn PDF document text
- https://gononazenikemad.weebly.com/uploads/1/3/4/4/134482012/3883466.pdfIn PDF document text
- https://xivanolub.weebly.com/uploads/1/3/1/3/131380121/penidunimul.pdfIn PDF document text
- https://nijusalelazi.weebly.com/uploads/1/3/4/8/134875584/51d13d59b1fb4c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486061/normal_600f79c8b236f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4460982/normal_600a4fc0ac13d.pdfIn PDF document text
- https://nawivavunof.weebly.com/uploads/1/3/4/6/134669961/gejatafekasodine.pdfIn PDF document text
- https://xiruzavaxukegaf.weebly.com/uploads/1/3/5/3/135324830/divagi_nozalu_dibuferewasigik_satevazidu.pdfIn PDF document text
- https://batopida.weebly.com/uploads/1/3/4/6/134689087/mujolitetumeposadeto.pdfIn PDF document text
- https://tanofome.weebly.com/uploads/1/3/5/3/135316841/xububelilawojugek.pdfIn PDF document text
- https://monijakuxit.weebly.com/uploads/1/3/4/3/134362478/2048864.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6e538e70-7302-42af-a8a4-262dcf822c98/how_to_take_your_measurements_to_track_weight_loss.pdfIn PDF document text
- https://s3.amazonaws.com/sojebelevenex/surodig.pdfIn PDF document text
- https://s3.amazonaws.com/lopadivupudexa/ledoxulozinejikipoleda.pdfIn PDF document text
- https://s3.amazonaws.com/divelatoxa/85990481940.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4831a897-1d20-4c2b-91f6-77d8ae94454a/evenflo_symphony_dlx_convertible_4-in-1_car_seat.pdfIn PDF document text
- https://s3.amazonaws.com/megelugik/22949778847.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/958094b5-f938-4864-85ad-5ac1c778f5a9/92908879482.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/549a4bb6-7a95-4455-a680-ba7cb3977523/jimamuwapekadedejakew.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eee3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEEE3 | 5336 bytes |
SHA-256: d2b9f178d23ffaf50a47d3499fa4eb4a4d577583688942f76833b70f7c5733aa |
|||
font_01_sfnt_off00010124.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10124 | 10704 bytes |
SHA-256: 3177f931d956e0c83069c73aa79360fafe1d5923b4f65ccef02fb62a8eb489d7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.