MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains an embedded URL that directs users to a site offering 'coc private server apk', suggesting a lure for game-related downloads which often host malware. ClamAV detection and ML classification strongly indicate malicious intent. The presence of an external URI points to the download of a secondary payload or redirection to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/wix?keyword=coc+private+server+apk
- https://cdn-cms.f-static.net/uploads/4417429/normal_601e63d22ebc6.pdf
- https://zonanasuwovu.weebly.com/uploads/1/3/2/6/132683154/083aa77505d6.pdf
- https://mijezuri.weebly.com/uploads/1/3/0/9/130969422/4085957.pdf
- https://cdn-cms.f-static.net/uploads/4479460/normal_6039c18fc791c.pdf
- https://rarerosedipise.weebly.com/uploads/1/3/4/8/134876587/ddb686b1acc9.pdf
- https://vidokabotofasi.weebly.com/uploads/1/3/4/8/134868814/9717208.pdf
- https://cdn-cms.f-static.net/uploads/4453908/normal_5fd9654ce1239.pdf
- https://cdn-cms.f-static.net/uploads/4417997/normal_6044d1f39ba60.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/dugibabafod/mozilla_firefox_49._0._2.pdf
- https://s3.amazonaws.com/jozaponi/89126814758.pdf
- http://noxukimu.myartsonline.com/liramitisazimilitux.pdf
- https://uploads.strikinglycdn.com/files/3ea3285a-dc99-4273-87fb-e462303f25e8/in_christ_alone_piano_chord_sheet.pdf
- https://uploads.strikinglycdn.com/files/c86fb90e-26d5-482a-8565-fa7ff3600aed/how_to_learn_currency_exchange.pdf
- https://uploads.strikinglycdn.com/files/3eec0c8f-311c-478a-8874-79be1fa1a24f/marksman_model_2002_repeater.pdf
- https://uploads.strikinglycdn.com/files/26125a67-5a60-4de7-9201-54c07e0f3226/what_is_warren_buffett_investing_strategy.pdf
- https://uploads.strikinglycdn.com/files/9608d94d-e404-4a3b-9004-734801b1e940/danby_kegerator_instruction_manual.pdf
- https://s3.amazonaws.com/kesumasaka/sedixinolotadepejugatide.pdf
- https://s3.amazonaws.com/zatazewoz/zufaviwawov.pdf
- http://wififeju.atwebpages.com/pamewosuxudonisunez.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fa7a.bin04382bb4dbc7d309cfb296543f1f45465da11fd1c2cfc138301b11bcf1e16032 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA7A | 4924 bytes |
font_01_sfnt_off00010b50.bin9b877122a4a1368c4b07f387eac4dad50047119726cde68f56da7e89538976be |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10B50 | 11144 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.