MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple heuristics indicating malicious intent, including suspicious links and ML classification. The presence of embedded URLs and the detection by ClamAV as a phishing trojan strongly suggest a phishing or malware distribution campaign. The document body is heavily obfuscated and does not provide clear textual lures, but the overall structure and URL targets point to a malicious payload delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LUREPDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/award?keyword=stuart+hall+representation+%2526+the+media+summary
- http://feelslike35.com/71315422103czitu.pdf
- http://trikolor.site/how_to_use_braun_facial_cleansing_brush2p5oi.pdf
- http://carins.info/855697912546uood.pdf
- http://com-login8.xyz/798477084617defm.pdf
- https://cdn.sqhk.co/punenekebi/giXdBjh/bts_dna_marimba_ringtone_download.pdf
- https://cdn.sqhk.co/sisamide/VZ7hcL3/duck_hunt_game_free_download_for_mobile.pdf
- http://servisvds.ru/wuzagoxokutusaxaxsgg94.pdf
- https://metiwefipit.weebly.com/uploads/1/3/1/4/131406934/datul_tefokedirek_jefuzezelasof.pdf
- http://haifaiv.ru/mejejukuwurhdw1k.pdf
- https://voxipomawo.weebly.com/uploads/1/3/1/3/131379395/bc2f9d23ec691c7.pdf
- http://businesslinecenter.com/poberixemuxekogesixoruq3hb9.pdf
- http://korsabarca.com/amc_stock_newsrq8dl.pdf
- https://cdn.sqhk.co/mekekomubun/VPMsSka/53604410322.pdf
- https://semetipakes.weebly.com/uploads/1/3/0/7/130775831/gibazij.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013e1f.bin976bcc0af10e6ceec027dfd8d2244e564d6a3c5126445da7ac35e6df9907cb83 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13E1F | 4892 bytes |
font_01_sfnt_off00014eac.bin2a06891d493a609bda72ac4775df8c5c9732c094b475d66afa360c33aee1bce2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14EAC | 10308 bytes |
font_02_sfnt_off00017217.binff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17217 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.