MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains heuristics indicating it is malicious and has been flagged by ML classifiers and ClamAV as a phishing trojan. It embeds a URL that appears to be a lure, disguised as a search result. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the detection suggest a phishing or credential harvesting attempt, likely delivered as a spearphishing attachment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9812
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/wix?keyword=personajes+de+star+wars+1
- https://cdn-cms.f-static.net/uploads/4392209/normal_603dab6e88daf.pdf
- https://static.s123-cdn-static.com/uploads/4492275/normal_5ff36e184ee49.pdf
- https://cdn-cms.f-static.net/uploads/4484364/normal_600fac25dcb2c.pdf
- http://expressday.online/ruzemuzugeba3k89n.pdf
- https://cdn-cms.f-static.net/uploads/4369781/normal_5fd3a8346f136.pdf
- https://static.s123-cdn-static.com/uploads/4459787/normal_5fdcc6c0f3f94.pdf
- http://nemagufi.mywebcommunity.org/booklet_samples.pdf
- https://cdn-cms.f-static.net/uploads/4369161/normal_5fdb050556b0d.pdf
- https://static.s123-cdn-static.com/uploads/4403130/normal_5fca22badd467.pdf
- http://lojuxaga.mywebcommunity.org/66662922570.pdf
- http://galabogenezoso.getenjoyment.net/amharic_to_english_dictionary.pdf
- http://bio-ita.fun/difivisofepisazctq7i.pdf
- http://prizinsta.online/19642472459w660q.pdf
- http://useraisins.pro/nuripewivewanefa5ax9s.pdf
- http://eglo.club/shark_lift_away_steam_cleaner_not_workingonywq.pdf
- https://static.s123-cdn-static.com/uploads/4369772/normal_5ff71750008d5.pdf
- https://static.s123-cdn-static.com/uploads/4476127/normal_5fd04dbc597e3.pdf
- https://cdn-cms.f-static.net/uploads/4412582/normal_602fe12667622.pdf
- http://drovazvenigorod.ru/power_of_now_audiobook_youtubef5w7o.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://tuminexozuvino.atwebpages.com/79778553209.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0004509d.bin54a86f2f054e521cd662b5491d2faa45f200a78a661fc9a6c831cee997a78c5e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4509D | 5008 bytes |
font_01_sfnt_off000461c9.binba3a54155bd5354cf3376111f0bcd0291980fc91597f5ef1946b82184c4555c2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x461C9 | 11900 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.