MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a lure with a call-to-action button and an external URI pointing to 'xezojetit.ru', suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains text related to 'kill shot hack apk', reinforcing the lure's theme.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/wix?keyword=kill+shot+hack+apk PDF link annotation
- https://cdn.sqhk.co/jumunuji/IWIpgix/nasal_cavity_anatomy_bones.pdfIn PDF document text
- https://cdn.sqhk.co/lirebirab/jfFR1gf/red_ball_adventure_3_jump_for_love.pdfIn PDF document text
- https://cdn.sqhk.co/piredonina/ljgkjcx/kawebotimegigodututa.pdfIn PDF document text
- https://cdn.sqhk.co/vesagivara/ihbjgjd/ganakope.pdfIn PDF document text
- http://pojokup.getenjoyment.net/fozefiladiriruvuwur.pdfIn PDF document text
- http://wumomotetidofe.getenjoyment.net/ninjutsu_techniques_free_download.pdfIn PDF document text
- https://cdn.sqhk.co/zolulesar/l6Uggjf/call_break_multiplayer_game_free_download_for_pc.pdfIn PDF document text
- http://dupuladusudired.mypressonline.com/36820973256.pdfIn PDF document text
- http://lemakomude.sportsontheweb.net/why_does_my_rca_tablet_says_fastboot_mode.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/94b5c508-7032-419b-8022-b98f587df3cf/60111984276.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ee95fc27-1d11-49be-8aa2-1a2a91a19d83/dilutisaxuximip.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/855f7308-6bb8-4327-a125-73b5aa301c24/what_does_2_beeps_on_a_computer_mean.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/60d8502b-ea5c-40b7-a3cc-0eeaa1a267f2/51809917484.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b6b62707-c773-487f-bf91-57e63306ef8d/66484469391.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/54f20a1f-3ad8-4fd0-a318-01e4a00e1d58/88197131267.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e5d26c8e-9980-4415-ab4b-09a23ef66a59/bovelewevimobular.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/20d729a4-6fcd-4e29-97a9-4f7e095fddc9/the_crown_season_3_episode_5_lord_mountbatten.pdfIn PDF document text
- http://wipadafefuxasi.onlinewebshop.net/biochemistry_and_molecular_biology_of_plants_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8bd1cba5-f36c-4dee-954d-fbf91609ee8f/24785871137.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a2eef307-d796-430e-b77a-cefc83d3482c/internet_service_providers_in_bhel_hyderabad.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b2ff864-653d-4ee9-b775-08cec2f8acaf/nitipidalesewuzejazatur.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7a570cc7-531f-42a7-aafa-33bbf3712034/ponilarezovom.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010065.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10065 | 4956 bytes |
SHA-256: e9cd038175f3f7d25dfd172b135c95048055365620c16cd8e904021d2d868702 |
|||
font_01_sfnt_off0001113f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1113F | 11264 bytes |
SHA-256: 4f234188408f430c17e31f3a0e0243bb74ba2f7c5dcebddb9994aedae4120042 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.