MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL, 'https://dugedepap.ru/wix?keyword=%25DA%25A9%25D8%25A7%25D9%2586%25D8%25A7%25D9%2584+%25D8%25AC%25D9%2588%25DA%25A9%25D9%2587%25D8%25A7%25DB%258C+%25D8%25B2%25DB%258C%25D8%25B1%25D9%2586%25D8%25A7%25D9%2581%25DB%258C+%25D8%25AA%25D9%2584%25DA%25AF%25D8%25B1%25D8%25A7%25D9%2585', likely leads to a phishing site. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to redirect users to malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9979
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dugedepap.ru/wix?keyword=%25DA%25A9%25D8%25A7%25D9%2586%25D8%25A7%25D9%2584+%25D8%25AC%25D9%2588%25DA%25A9%25D9%2587%25D8%25A7%25DB%258C+%25D8%25B2%25DB%258C%25D8%25B1%25D9%2586%25D8%25A7%25D9%2581%25DB%258C+%25D8%25AA%25D9%2584%25DA%25AF%25D8%25B1%25D8%25A7%25D9%2585 PDF link annotation
- http://penafur.scienceontheweb.net/51830404284.pdfIn PDF document text
- http://lajodibibodi.getenjoyment.net/fuzudenejasexupepasegot.pdfIn PDF document text
- https://cdn.sqhk.co/vakenuda/gfiaNgi/men_s_hairstyles_for_fine_hair_2018.pdfIn PDF document text
- http://dawexefif.getenjoyment.net/1748991157.pdfIn PDF document text
- https://cdn.sqhk.co/jagibuvat/ihjhjI9/20369702098.pdfIn PDF document text
- https://cdn.sqhk.co/tipapija/9pjdegj/boosted_performance_single_turbo_kit_g35.pdfIn PDF document text
- https://cdn.sqhk.co/dukosisevu/ihhido0/who_sells_tie_dye_shirts_near_me.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/vixuwogetiv/fletching_guide_1-_99_rs3_2019.pdfIn PDF document text
- http://bosirizowu.rf.gd/gogenopawepevumogovibusuw.pdfIn PDF document text
- http://zepuwiz.atwebpages.com/97259944845.pdfIn PDF document text
- http://rigemileluzed.epizy.com/13108645672.pdfIn PDF document text
- http://gugonit.epizy.com/samanosokadepuxikozilud.pdfIn PDF document text
- https://s3.amazonaws.com/pukaridimupo/best_jquery_form_validation_plugin.pdfIn PDF document text
- http://gixopiv.onlinewebshop.net/criteria_of_brain_death.pdfIn PDF document text
- http://pofebevasusin.rf.gd/gofuxux.pdfIn PDF document text
- https://s3.amazonaws.com/silubebebefuju/how_long_does_beats_solo_2_battery_last.pdfIn PDF document text
- https://s3.amazonaws.com/nuruvapozixix/kupuwizapeve.pdfIn PDF document text
- http://tomunipi.rf.gd/acetaminophen_dosage_chart.pdfIn PDF document text
- http://vubelifijam.atwebpages.com/pigamejudonetovep.pdfIn PDF document text
- https://s3.amazonaws.com/tawosutosuxi/game_pool_billiard_online.pdfIn PDF document text
- https://s3.amazonaws.com/baxekojojexusol/zawepog.pdfIn PDF document text
- https://s3.amazonaws.com/wazotojemov/calligraphy_fonts_a_to_z_free_download.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_007_off000195b9.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x195B9 | 37484 bytes |
SHA-256: 19765c1540f7ec30ca45b045d56db88e8ee4920907d9152da4a0d626bf4ed7fd |
|||
font_00_sfnt_off00011350.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11350 | 2964 bytes |
SHA-256: f56cb6c57f42cadb6a8c275095058cc3e4a60c97750916e03bbbae8634d86ecf |
|||
font_01_sfnt_off00011dca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11DCA | 4068 bytes |
SHA-256: 9093d88ed2f51c078dd44114aa35e5641b1c3a839509d1d398fe9e3f8c83fed2 |
|||
font_02_sfnt_off00012ba3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12BA3 | 14736 bytes |
SHA-256: 82587e2a82c2c51b11b596b1acfd8e19e10957a87bc6dc4c6571d7088bdb0b19 |
|||
font_03_sfnt_off0001557c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1557C | 10444 bytes |
SHA-256: fb51f9490473a6194b0d8e56f41de4e53f997d0a6ad31583082b0ce9086bf7e2 |
|||
font_04_sfnt_off00017991.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17991 | 18152 bytes |
SHA-256: b7964a1c539c52a58a7278a469153aaba4c9532b3eb1065e2309af4a464f3f70 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.