MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as a phishing trojan by ClamAV and ML classifiers. It contains a lure related to a game guide, likely intended to trick users into downloading or opening the malicious PDF. The embedded URL points to a redirector that ultimately leads to a malicious resource, suggesting an attempt to deliver a payload or phish for credentials.
Machine Learning
- Nyx PDF Classifier malicious score 0.9804
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://maypoin.ru/wix?keyword=fgo+gudaguda+final+honnouji+rerun+guide PDF link annotation
- http://biteroz.iblogger.org/gosuva.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420765/normal_604a863baa753.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4459628/normal_5fcc5e3053ca8.pdfIn PDF document text
- http://gafujovinotu.22web.org/harry_potter_and_the_half_blood_prince_chapter_2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416493/normal_6010b41ebba76.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489717/normal_6043e52d7fd4e.pdfIn PDF document text
- http://wegasanapifare.iblogger.org/lujebafuk.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415292/normal_6010da1e1e48c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4392439/normal_60154c074f117.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://dacf5b84-f80e-4bd8-bb7f-22aad20a1cd8.filesusr.com/ugd/285be4_fea279eb7bce493db199124dc0885270.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/bejideba/letter_t_activity_sheets.pdfIn PDF document text
- http://fobitomiwoga.epizy.com/what_causes_a_furnace_circuit_board_to_fail.pdfIn PDF document text
- https://973697ad-ffa4-4f9d-85cd-0c9d1ea039ee.filesusr.com/ugd/5f5755_b6862311a6344b309d091722be980930.pdf?index=trueIn PDF document text
- https://144ece88-722e-4d59-a9d1-ae16887514c2.filesusr.com/ugd/48b17f_cc9229accb6c489ca0bf6844f07239dd.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/nuxomigo/how_to_clean_needle_of_keurig_2.0.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9039d5e2-7928-4894-8dec-abec7a066d13/joseba_achotegui_sndrome_de_ulises.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5ac09046-97ba-4e04-b339-02d6a2014f66/how_to_draw_a_realistic_face_girl_step_by_step.pdfIn PDF document text
- http://jatojitax.rf.gd/blackboard_collaborate_ultra.pdfIn PDF document text
- https://a9864912-ad24-422b-99f3-2d90f7703507.filesusr.com/ugd/d6af85_bfd7b80a8033435aa8b3d3ffbe4f13f1.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f2ca7131-1eab-4173-884b-3edb73dde658/premiere_pro_free_download_windows_8.pdfIn PDF document text
- https://s3.amazonaws.com/vedexajawo/how_to_program_genie_garage_door_opener_without_learn_button.pdfIn PDF document text
- https://e72deea9-3c4d-48de-8429-d2e8e2d5d9b3.filesusr.com/ugd/68b2df_18317e9f9a214840a4ffa0e6ad779e36.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/b5d55125-2352-47ed-b244-9dc5e44d335d/batman_the_dark_knight_returns_part_2_latino_descargar.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off000157db.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x157DB | 119384 bytes |
SHA-256: c771cea51191b0116772e9397b1b35c2344fb4a2ee42f94d1c9f32c3e894d9c8 |
|||
font_01_sfnt_off0002bbbf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BBBF | 5024 bytes |
SHA-256: b76a9c31630dbf9e75ba10779659f50605aa952b8d5f2019da0503244d04edbd |
|||
font_02_sfnt_off0002ccd7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2CCD7 | 11140 bytes |
SHA-256: 4f82acbec9cccbff0ad33f7a16c329c79eb95b09016aaf098099e4821b3dfc3d |
|||
font_03_sfnt_off0002f30a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2F30A | 16284 bytes |
SHA-256: 0d2743eda229d1c736213aabfdc64e228d213e2622e3433aa29c3ae0f2373a99 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.