MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple heuristics indicating malicious intent, including a link farm on disposable hosting and a high ML classifier score. The presence of a download button lure and a callback lure further supports a phishing or scam objective. The embedded URL `https://xezojetit.ru/123?utm_term=chess+master+free++for+android` is the most likely destination for the user, potentially leading to a second-stage download or phishing page.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/123?utm_term=chess+master+free++for+android PDF link annotation
- http://bluebadgeapproval.com/can_you_have_a_straight_and_a_pair_in_pokerfkf75.pdfIn PDF document text
- http://dkshlyap.ru/79555561694960j7.pdfIn PDF document text
- http://fomijegi.mypressonline.com/manual_de_arduino_nano.pdfIn PDF document text
- http://bipowilago.mywebcommunity.org/63768560784.pdfIn PDF document text
- http://momarivido.mypressonline.com/ccsa_certification_study_guide.pdfIn PDF document text
- http://kekanavaresem.iblogger.org/zofunujapovibalagupuju.pdfIn PDF document text
- http://zivemigidefis.mypressonline.com/are_simple_molecules_soluble_in_water.pdfIn PDF document text
- http://sentytld.online/beats_by_dr._dre_studio3_wireless_noise-cancelling_headphonesc97gg.pdfIn PDF document text
- http://vienvozvrat.site/53167845558yh724.pdfIn PDF document text
- http://dotixomovi.sportsontheweb.net/21261338576.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://sudiwoke.epizy.com/chamakam_english.pdfIn PDF document text
- https://s3.amazonaws.com/susonanezaj/welixizerur.pdfIn PDF document text
- http://maturar.rf.gd/is_there_free_roam_in_ff7_remake.pdfIn PDF document text
- http://bilofudako.onlinewebshop.net/6868198153.pdfIn PDF document text
- https://7be326e9-a1fd-4761-a84c-83c904220737.filesusr.com/ugd/37e945_2acb382bee6d497f95d5ac04e33a3f0f.pdf?index=trueIn PDF document text
- https://466f9527-ada3-48b4-ac0c-4ba5546996ca.filesusr.com/ugd/a4b6b9_f29dd7736afb48e59c864393b3fe441c.pdf?index=trueIn PDF document text
- http://kimawawasero.onlinewebshop.net/chartered_financial_analyst_course_outline.pdfIn PDF document text
- https://s3.amazonaws.com/xoferuzu/managing_conflict_interview_questions_and_answers.pdfIn PDF document text
- https://245df057-3761-468b-8bc4-2c9c6734f7c7.filesusr.com/ugd/06c8e1_c99fd5a70bea48c3832d7b4690365ea6.pdf?index=trueIn PDF document text
- http://takamuwemevofe.epizy.com/fogipilifasilipewimez.pdfIn PDF document text
- http://zezatavaveb.epizy.com/49370524327.pdfIn PDF document text
- https://3315be42-5dab-4b6e-b44d-105cb490973e.filesusr.com/ugd/2e3488_4c2ac3ee2efc4013a43109ab70fe9c00.pdf?index=trueIn PDF document text
- https://19e6fc83-c281-4d06-93fd-e8b16a02b90a.filesusr.com/ugd/ce5d00_b61a2e264e924ddaab5d7e6fefb9f388.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013227.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13227 | 5020 bytes |
SHA-256: 219b362d5487ba961e106dbeeb74ec60a1ea08a8f7dbb0fa913d26d987acaa63 |
|||
font_01_sfnt_off00014304.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14304 | 11928 bytes |
SHA-256: 7e618851b7d2d6618957780aa5b9b6dc2306bf0ebbff127a1c67a99ceb6f9325 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.