MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ClamAV and an ML classifier, and it contains heuristics indicating an advance-fee scam lure. The document body, though truncated and obfuscated, contains text related to 'Breaking dawn 4 release date' and application metadata, suggesting a lure to trick users into clicking embedded URLs. The presence of multiple external URIs, including one pointing to 'pelibifir.ru', further supports the phishing and scamming intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/123?utm_term=breaking+dawn+4+release+date
- http://fofiwafajelerax.sportsontheweb.net/39156855333.pdf
- http://insta-sale.site/putomuzujozol1fk89.pdf
- http://filfex.ru/28185775791eutvn.pdf
- https://static.s123-cdn-static.com/uploads/4367912/normal_5fc9bc4b0e5b0.pdf
- http://pakawuwujawo.getenjoyment.net/why_is_washing_your_face_so_important.pdf
- http://womenita.fun/togozalexudiwarigikua4unm.pdf
- http://laluwaraselolar.mywebcommunity.org/where_is_samsung_a51_manufactured.pdf
- http://rowexusaje.mypressonline.com/algebra_eoc_practice_test_1.pdf
- http://lezigovedavide.getenjoyment.net/windows_10_bash_python_command_not_found.pdf
- http://megalit-korolev.ru/monitorizacion_de_signos_vitalesc08v5.pdf
- https://cdn-cms.f-static.net/uploads/4386621/normal_603fef1844ebc.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://pusapovewazigu.onlinewebshop.net/kitchenaid_stand_mixer_cover_diy.pdf
- http://sipanokule.onlinewebshop.net/attack_on_titan_season_1_characters.pdf
- http://limepupotof.epizy.com/android_games_to_play_with_friends_offline.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001b0c3.bin9d35c171efaaf9276f9dc38314b7ef6133067bdd95b7e82ef99edf88a4b827dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B0C3 | 5284 bytes |
font_01_sfnt_off0001c2ea.bin1caa40314c6681a2aab9716e4b47f37e4c9caae14e758acdc3453e1e1fe64363 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C2EA | 12540 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.