MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. ClamAV detection and ML classification further confirm its malicious nature. The presence of an external URI suggests an attempt to redirect the user to a malicious site, likely for credential harvesting or further payload delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/wix?keyword=words+start+rem PDF link annotation
- http://xorimomupajo.scienceontheweb.net/57281857294.pdfIn PDF document text
- http://wow50.pro/ginajakibosrzfy3.pdfIn PDF document text
- http://kuzexamipapoxip.medianewsonline.com/kiroles.pdfIn PDF document text
- https://mumifigade.weebly.com/uploads/1/3/4/3/134314269/daxos.pdfIn PDF document text
- https://natulawud.weebly.com/uploads/1/3/4/3/134309077/409d95f9c1b3.pdfIn PDF document text
- http://zuvalasit.mypressonline.com/3691571108.pdfIn PDF document text
- http://fruits-summer.fun/paragraph_of_the_weekwihao.pdfIn PDF document text
- https://wixepivod.weebly.com/uploads/1/3/0/7/130775856/07eeae6.pdfIn PDF document text
- http://mutetufowikujib.22web.org/97989567306.pdfIn PDF document text
- https://dewufore.weebly.com/uploads/1/3/4/8/134857007/xasapaminuloxal-bowawerizabaf-zozuzevij.pdfIn PDF document text
- https://tuboxivodase.weebly.com/uploads/1/3/4/3/134387713/8b5e60a4.pdfIn PDF document text
- http://mp4.design/groupon_merchant_center_italiac15pb.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://varijaponinaza.rf.gd/bedofugajukupo.pdfIn PDF document text
- https://s3.amazonaws.com/kosipefojaw/moxadalunijow.pdfIn PDF document text
- https://s3.amazonaws.com/jedadokuti/medemeta.pdfIn PDF document text
- https://s3.amazonaws.com/fodose/4014459229.pdfIn PDF document text
- http://gixejemazob.myartsonline.com/los_verbos_ms_usados_en_ingls_en_todos_sus_tiempos.pdfIn PDF document text
- https://s3.amazonaws.com/wapabefizosumi/dad_s_army_theme_song_sheet_music.pdfIn PDF document text
- http://lurarapekakaka.atwebpages.com/16573336016.pdfIn PDF document text
- http://judiserod.onlinewebshop.net/chess_openings_book.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d244.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD244 | 4952 bytes |
SHA-256: bf2eb33b7dd4c7a8013d73e6cda3eb30719170183866c32057a20ef72e6d9574 |
|||
font_01_sfnt_off0000e30e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE30E | 10816 bytes |
SHA-256: 7dc3a68eae13b84d738784f05b5d682fa4895e88dab670dcb9b4b2f01a084b8f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.