MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous embedded URLs, with one prominent URL pointing to 'zajinet.ru' which is likely a phishing or malware distribution site. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing lure. Although no scripts were explicitly extracted, the presence of multiple external URLs suggests the document is designed to redirect users to malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/strik?utm_term=power+probe+3+master+kit+reviews
- https://cdn.sqhk.co/revinoxu/widSNgj/52271580263.pdf
- http://vevebopawo.mywebcommunity.org/gastrointestinal_system_notes.pdf
- http://instasale.company/panasonic_kx-dt343_voicemail_password_resetoj02t.pdf
- http://tosefabebiribow.scienceontheweb.net/pdf_split_merge_download.pdf
- https://static.s123-cdn-static.com/uploads/4494868/normal_5ff02f9c89a0f.pdf
- https://cdn-cms.f-static.net/uploads/4482230/normal_600a793911139.pdf
- https://cdn.sqhk.co/bodorosuzuta/jj917gh/24897973077.pdf
- https://static.s123-cdn-static.com/uploads/4371800/normal_5fef8414a51ef.pdf
- http://hookup157.site/45563189163afhsd.pdf
- https://cdn.sqhk.co/jatobeguji/dhWjaia/zoxulokipujavizakalidene.pdf
- https://cdn.sqhk.co/nilamemiw/igLjjgg/58759314127.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://zotubune.myartsonline.com/adobe_audition_cc_midi_keyboard.pdf
- https://3ecb585b-79b8-4502-8567-d9a17299c5c1.filesusr.com/ugd/4b874d_31faeddadca14869975130be008b5f92.pdf?index=true
- https://ca06489b-9cc7-4d60-8424-05bb9d91883a.filesusr.com/ugd/35b1aa_2f40fe6ac2694bf6893a255c39205913.pdf?index=true
- https://uploads.strikinglycdn.com/files/f6459a52-6c7f-45b0-b281-2c9d8a5042ec/fubapujexomegeta.pdf
- https://1b15a19f-c8c2-4d9d-8c2f-e97aa7ecfe2c.filesusr.com/ugd/eb6c48_b69e8794563c4dfbb9b86b692b86814e.pdf?index=true
- https://uploads.strikinglycdn.com/files/f98c6512-1b28-4a3d-b7f5-a24f1d916bb2/the_apology_of_socrates_questions.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ef1a.bina5ea67e5b2f3d261ce608f54c4c561373d443604cf4ed6bdea63e95438bbaaba |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEF1A | 5456 bytes |
font_01_sfnt_off000101a7.bin66554d89691f026118feefb8ff39cf9e1bf0bbe6c9ff0f9c5eed38e2249b3f73 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x101A7 | 11752 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.