MALICIOUS
146
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier indicating maliciousness. The 'SE_CLOUD_DOC_LURE' heuristic suggests the document impersonates a cloud file-sharing service to trick users into accessing its content. The presence of numerous external URIs, particularly the one pointing to 'jumiwimov.ru', indicates a likely attempt to redirect the user to a malicious site or download a secondary payload. No scripts were extracted from this sample, but the overall structure and heuristics strongly suggest a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Cloud document impersonation lure medium SE_CLOUD_DOC_LUREDocument impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/strik?utm_term=epson+v370+perfection+flatbed+scanner+review PDF link annotation
- https://cdn.sqhk.co/runolisor/LhaWTgg/44980840775.pdfIn PDF document text
- https://cdn.sqhk.co/rifarako/hiUjfjc/xifadiwidosuzekuj.pdfIn PDF document text
- https://cdn.sqhk.co/vadezewe/jfjioWt/36131736204.pdfIn PDF document text
- http://fogozuvonuw.66ghz.com/vpn_ios_7.pdfIn PDF document text
- http://xadutewopitap.22web.org/what_skills_are_required_for_public_speaking.pdfIn PDF document text
- http://zugemenelil.medianewsonline.com/blow_molding_machine_manual.pdfIn PDF document text
- http://rolivazugatar.scienceontheweb.net/51322305300.pdfIn PDF document text
- http://helplnstagram-confirm.com/45833968348ehynh.pdfIn PDF document text
- https://cdn.sqhk.co/bowewulaxam/eQijHjg/xbox_one_gaming_monitor.pdfIn PDF document text
- https://cdn.sqhk.co/vimexuda/b7he57K/pejalozavunenonatiz.pdfIn PDF document text
- http://vitofemegawe.getenjoyment.net/employment_contract_malaysia.pdfIn PDF document text
- http://mestikon.online/troy_bilt_pony_throttle_linkageqif4z.pdfIn PDF document text
- http://kejumazinanu.mywebcommunity.org/designing_audio_power_amplifiers_second_edition.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://fivamoxopel.epizy.com/lagu_arkana_band_masih_adakah_mantan.pdfIn PDF document text
- https://s3.amazonaws.com/pokorevalaxex/college_board_practice_test_7_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/59a52877-dafc-41d2-bec5-a020a55068cd/xazanixotomag.pdfIn PDF document text
- https://s3.amazonaws.com/zerejibixupav/the_norton_anthology_of_american_literature_shorter_eighth_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/727618d8-7a8a-4e92-b605-fc065a16cb60/how_many_a4_pages_in_a_novella.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ce1967a4-1830-4611-b2c8-df3c7d97d14e/what_to_do_if_gear_shift_is_stuck_in_park.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bbabf9bc-374b-4c9a-b632-9a6531005942/bukimefusogokotafedane.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2889d859-acf6-49ae-bbbd-1bb8bb24a8a2/94146920145.pdfIn PDF document text
- http://fetapewifug.epizy.com/sozod.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f253.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF253 | 5784 bytes |
SHA-256: b957ac411feb843bc626a0c4499bea4842ba39f9afe07e0f59bfa0cb1caa2f45 |
|||
font_01_sfnt_off00010628.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10628 | 10924 bytes |
SHA-256: e3258bb5a915f14ce3f57d0cb1b25a30cfb5035f1d38c4d066af906ee03378b5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.