MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1204.001 Malicious Link
This PDF document is identified as a credential phishing lure impersonating the Chase brand. It contains a mass of external links, with a critical heuristic flagging it as a brand-impersonation credential phishing attempt. The primary malicious URL identified is https://togurugake.weebly.com/uploads/1/3/1/4/131412858/620197.pdf, which likely serves as a redirector to a phishing page.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://togurugake.weebly.com/uploads/1/3/1/4/131412858/620197.pdf.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/123?utm_term=report+phishing+scams+to+chase PDF link annotation
- http://gopudumimipabol.mypressonline.com/depth_of_field_photography.pdfIn PDF document text
- https://togurugake.weebly.com/uploads/1/3/1/4/131412858/620197.pdfIn PDF document text
- https://cdn.sqhk.co/ratufewebu/chg26MO/93712587130.pdfIn PDF document text
- http://warajuvevuv.medianewsonline.com/maternity_leave_form_for_teachers.pdfIn PDF document text
- https://cdn.sqhk.co/rajunakeb/hd6idjb/2048_super_heels_hack.pdfIn PDF document text
- https://cdn.sqhk.co/zipedufipiz/ijQhijh/ebay_kleinanzeigen_for_germany_apk.pdfIn PDF document text
- https://cdn.sqhk.co/tuwebobit/ea0ihge/87686018938.pdfIn PDF document text
- http://xiruzox.mygamesonline.org/allegiant_book_download.pdfIn PDF document text
- https://cdn.sqhk.co/moxinivo/idjh5jc/detective_story_books_in_tamil.pdfIn PDF document text
- https://bipikive.weebly.com/uploads/1/3/4/3/134342269/damogitupet.pdfIn PDF document text
- https://dekudabor.weebly.com/uploads/1/3/4/8/134893804/253600.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://e4fb9bf1-a3d6-4767-9bf2-2a1021e5dc09.filesusr.com/ugd/53cfc7_b38d674d9ad34ae8bfb1771a2d75096d.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/mejigavukolu/jasonunivupeke.pdfIn PDF document text
- https://0f8fedcd-12c0-4678-86f8-e2bff7269121.filesusr.com/ugd/70e7d4_e589dc9484834055b7b9303024facf9f.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/begijufadi/bejegim.pdfIn PDF document text
- https://s3.amazonaws.com/nefunupu/mobuzezojoduvamerul.pdfIn PDF document text
- https://db6a684c-bd73-4a61-997a-17040cc1d896.filesusr.com/ugd/bbbb20_cbeca4eef9ec4e69874664ed6c332666.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/polexebuj/33992664561.pdfIn PDF document text
- https://bc13a564-db4d-4abe-bba9-081b1c4085ef.filesusr.com/ugd/d5ec75_47587bfd93884da8825f0815f70e6bf5.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/mamibis/sogexabel.pdfIn PDF document text
- http://pavafisufopu.myartsonline.com/file_psd_in.pdfIn PDF document text
- https://s3.amazonaws.com/pajeriramal/8th_grade_math_worksheets_free.pdfIn PDF document text
- http://ginowane.onlinewebshop.net/pewexosoxug.pdfIn PDF document text
- https://6cdf8c5e-36a0-4b6d-987f-32d3d50030cd.filesusr.com/ugd/3c2e2e_ba81b81042a3469b84ba760cce3c1410.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off0001225a.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1225A | 17212 bytes |
SHA-256: b8107980297fa048b32166dcdef3a931c488207d43ea94ecb1f8b99d9169d3b9 |
|||
font_00_sfnt_off0000e8bc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE8BC | 5324 bytes |
SHA-256: e774fdd85a41f33ffcc8d4687b56179b0811f066767fda6b938516767b1b7aff |
|||
font_01_sfnt_off0000fab6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFAB6 | 11520 bytes |
SHA-256: 1301518435a60295c29879d9b2e24afa2c030cf623e17013f676a98a4e29c8fc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.