MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The PDF file contains a direct link to an executable payload, identified by the PDF_DIRECT_PAYLOAD_LINK heuristic. The embedded URL points to a file named 'setup-qtox-x86_64-release.exe', which is likely a lure to trick the user into downloading and running malware. No scripts were extracted, and the document body was unreadable, but the direct payload link is a strong indicator of malicious intent.
Machine Learning
- Nyx PDF Classifier clean score 0.0155
Heuristics 2
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00001c99.binc55552675356dba83b0c503968be1b309ec75bb92fcfc88dcf6ba72f496290d2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C99 | 12292 bytes |
font_01_sfnt_off000039b1.bin0a224902da875fa6989b9d25aa58179e14bfcee37c1f5bac75214721c865db86 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x39B1 | 15536 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.