MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a high-severity heuristic indicating it is a phishing lure, directing users to an external URL. The embedded URL, 'https://pelibifir.ru/strik?utm_term=black+and+decker+convection+toaster+oven+recipes', is presented as a search result for recipes, a common social engineering tactic. ClamAV also detected this file as a phishing trojan. No scripts were extracted, but the overall structure suggests a malicious document designed to redirect users to a potentially harmful site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/strik?utm_term=black+and+decker+convection+toaster+oven+recipes PDF link annotation
- https://cdn-cms.f-static.net/uploads/4378153/normal_604cfde869851.pdfIn PDF document text
- http://suvasemujodi.22web.org/90982648686.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365606/normal_600bdff0bd9bb.pdfIn PDF document text
- http://rinevagisovagi.22web.org/tafukufepelisazafuk.pdfIn PDF document text
- http://fuwegebofu.iblogger.org/48414216402.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://tazipebikitunir.rf.gd/death_note_movie_2006_l.pdfIn PDF document text
- https://ab2ac9d4-4772-4872-829d-c19fde0a4f90.filesusr.com/ugd/b919b3_2896a1652d2d45a09baf46563d6828d0.pdf?index=trueIn PDF document text
- http://misiwoferejisuj.rf.gd/1252382595.pdfIn PDF document text
- https://s3.amazonaws.com/lowuwofuxali/39039830792.pdfIn PDF document text
- https://s3.amazonaws.com/fuzafuzeruwit/27713090052.pdfIn PDF document text
- https://cbb9655c-b60d-4095-8c1c-bb5f9a2903c5.filesusr.com/ugd/4dd980_122fd14b1ea0490893146eb177db2957.pdf?index=trueIn PDF document text
- https://4abf464d-34d5-4c80-8de5-e64f30e04530.filesusr.com/ugd/8b3eb5_61b6cc7052ae4d0d9d70b8a5af25a2cc.pdf?index=trueIn PDF document text
- http://kutifakibidi.rf.gd/math._com_algebra_practice_problems_answers.pdfIn PDF document text
- https://c84d532c-3b33-47d6-96aa-4134a1164eb1.filesusr.com/ugd/6d45f6_216d2172c65543be8f6ff42bef3e1846.pdf?index=trueIn PDF document text
- https://01c4c9a3-ee74-4db9-a65d-799443b8dbf1.filesusr.com/ugd/a64c8c_53745401b08d4647b4ed80ce2899803c.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/dazinibonofobi/vopunoxudosot.pdfIn PDF document text
- https://s3.amazonaws.com/jubiferekaka/i_5_traffic_report_redding_ca.pdfIn PDF document text
- https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_789a9e6db07a4bda9ad2302e9f7b0655.pdf?index=trueIn PDF document text
- http://wavejewamagoli.rf.gd/pudexelejabetisuvup.pdfIn PDF document text
- https://cf4de027-7369-46c2-bf93-d69cabef2b5e.filesusr.com/ugd/868b90_b072ff5415d9472e92fcf6000e6f9d47.pdf?index=trueIn PDF document text
- http://bewexipobafuza.rf.gd/friedrich_nietzsche_-_on_truth_and_lies_in_a_nonmoral_sense_summary.pdfIn PDF document text
- http://towuvoti.epizy.com/b._com_1st_year_syllabus_2020.pdfIn PDF document text
- http://letozin.rf.gd/tukiwamadu.pdfIn PDF document text
- https://s3.amazonaws.com/fajeloninesitel/2862634898.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e2f8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE2F8 | 5240 bytes |
SHA-256: 2820816b063196ae2afc481397ec279e06ba87bb35d519c97c2e344f315e3ef2 |
|||
font_01_sfnt_off0000f4e3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4E3 | 11008 bytes |
SHA-256: b71797545266a94802f1642c6c6cd829e2dee50de24d63145491f48bcc2837d6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.