MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF contains a critical heuristic firing for brand-impersonation credential phishing, specifically impersonating Disney. It also contains numerous external links, with one redirecting through 'jarowezib.weebly.com' which is flagged as a potential phishing lure. The ML classifier strongly indicates maliciousness, and the presence of embedded URLs suggests an attempt to direct the user to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://jarowezib.weebly.com/uploads/1/3/0/8/130813985/nufemoximedunow-titomu.pdf.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/strik?utm_term=who+makes+vanguard+small+engines PDF link annotation
- https://cdn-cms.f-static.net/uploads/4492901/normal_6052f8bcb42c2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4427514/normal_6012381d8f452.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417040/normal_606ab89192ac6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380073/normal_604d29e342a04.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4457582/normal_6054ffd9f1e67.pdfIn PDF document text
- https://jarowezib.weebly.com/uploads/1/3/0/8/130813985/nufemoximedunow-titomu.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4483365/normal_606a0056b54a2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4408881/normal_6023f5c40377a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4423696/normal_60691c0b5e073.pdfIn PDF document text
- https://fepobiwebefu.weebly.com/uploads/1/3/4/5/134592484/776bb1e2a3b7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447270/normal_606dfab682eff.pdfIn PDF document text
- https://govotewimodiku.weebly.com/uploads/1/3/4/6/134649218/e035dd0fc44f0e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450145/normal_606132d23146e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447465/normal_602ce465ae68d.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/e162ef3b-5b3e-4c00-88f7-e0a9fafb0951/24218292152.pdfIn PDF document text
- https://s3.amazonaws.com/xirixepo/81228475426.pdfIn PDF document text
- https://s3.amazonaws.com/gavexilatuvitaz/free_7th_grade_reading_comprehension_worksheets.pdfIn PDF document text
- https://s3.amazonaws.com/kiwopusafize/16879409761.pdfIn PDF document text
- https://s3.amazonaws.com/muvemasoxaji/prayers_that_bring_healing_and_activate_blessings.pdfIn PDF document text
- https://s3.amazonaws.com/povelenavuviw/mejubidub.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/910a8414-04b6-408c-a234-2b0eed701765/dakixunexoridamu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6e6fed64-351e-4c9d-8f5f-ec0ac1c52945/how_to_fix_charging_port_on_galaxy_s7.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001035b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1035B | 5376 bytes |
SHA-256: 9e26a02ef43b1471a45cce2afe29453935ec6475facbc8b73cb92e6ba473c225 |
|||
font_01_sfnt_off00011582.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11582 | 10972 bytes |
SHA-256: 0c3fe418ef5ff8bd04856ef8dc229ff4841da65f7cb44aa00017cdf445aad737 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.