MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, suggesting it might be a generated document used as a lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://leonvi.ru/wix?keyword=the+road+themes+prezi
- http://teksol.xyz/838232691319k8ar.pdf
- http://bathforlegs.xyz/the_young_elites_series_vkvjbvo.pdf
- http://pokupka.space/baby_trend_expedition_jogger_travel_system_wheel_replacementva0cd.pdf
- http://brumbum2.xyz/how_much_does_a_polaroid_film_costdc3vw.pdf
- http://wirelessinfo.ru/177023710165ywko.pdf
- https://cdn.sqhk.co/fomavulobet/gh86Bgh/nitelutefu.pdf
- http://vedice.ru/28152837957s06tc.pdf
- https://cdn.sqhk.co/gonolesuzam/iQiinAj/9_months_from_today.pdf
- http://shopsmmv.site/kotuwejujinuboje6q1md.pdf
- http://winoorama.site/is_blue_iris_software_freevrom4.pdf
- https://cdn.sqhk.co/voxedifi/Egc2Cji/wejefowupobe.pdf
- https://cdn.sqhk.co/totarujined/8vihsIB/pokemon_x_rom_for_citra_emulator.pdf
- http://logvoz.ru/free_prezi_templates_musicic720.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/7955ccdc-c976-46b0-8eb3-9caeb9b4f364/how_to_put_together_a_lifetime_elite_basketball_hoop.pdf
- https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_bbb0f20aa87d45d69499546d36fa29f7.pdf?index=true
- https://5b3fc17b-a4fb-4144-9a53-ff617e35bc6a.filesusr.com/ugd/696117_d05743ad2c0e48f0a5fe72aa7210ed8d.pdf?index=true
- https://75a697d3-84f0-44cf-bab9-f05e37020c50.filesusr.com/ugd/7c3584_9a5b3a4fbc67437fb2bc30c0b5b56d05.pdf?index=true
- https://uploads.strikinglycdn.com/files/c7e30c10-78d6-4ef7-a821-365808d22229/duvokixak.pdf
- https://uploads.strikinglycdn.com/files/28310456-e8b8-4059-932b-b0df6d641d0f/whats_your_babys_poo_telling_you.pdf
- https://97783159-ced7-426e-9fbd-60d2bb3342fb.filesusr.com/ugd/00058f_f8e64a34e41b49ac8332f15482985035.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012ff5.bin6e1bc0b75f0d2b7c2d4b5485be6e45510ada83dd56da63c7259bf3ddb4bd109c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12FF5 | 5168 bytes |
font_01_sfnt_off0001415a.bin4a70d634a952a964e806a14a6e69843f16563dcba2d5ee65e746baedf100f412 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1415A | 11356 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.