MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF document contains heuristics indicating it uses social engineering lures, specifically a browser extension installation lure, to trick the user into executing malicious content. The document also contains an external URI pointing to a suspicious domain, which is likely part of the attack chain. No scripts were extracted, but the ML classifier strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9020
Heuristics 7
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
QR-code redirect lure medium SE_QR_LUREDocument instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://maypoin.ru/strik?utm_term=watch+bts+bon+voyage+season+2+eng+sub+online+free PDF link annotation
- https://nirefuriwubava.weebly.com/uploads/1/3/1/6/131637308/sarifekekowo-somagosu-pemisemadevokid.pdfIn PDF document text
- https://zowololo.weebly.com/uploads/1/3/5/2/135294949/rokududirifi.pdfIn PDF document text
- https://weziriditovi.weebly.com/uploads/1/3/4/1/134108838/1fef173e9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489028/normal_603d80d656da6.pdfIn PDF document text
- https://fuketuxe.weebly.com/uploads/1/3/4/4/134495293/xedevanemipibuzevuli.pdfIn PDF document text
- https://nurufumetexode.weebly.com/uploads/1/3/5/3/135323779/8ffbf24f1e72f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4493549/normal_5ff33c0fdcae9.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/e250bc56-2627-402d-951a-5b38cb4bf3b7/bisexis.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/27917d2e-28fb-486b-a024-ee9ea22e2482/what_is_the_best_tasting_herbalife_shake.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b970fd79-f61e-45c2-9394-a79d4366925b/analisis_de_la_pelicula_el_seor_de_las_moscas.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/986f329d-29e2-493d-a22e-bbb031e2a95b/gijoraf.pdfIn PDF document text
- https://s3.amazonaws.com/jugobimuraje/jafevopimaxule.pdfIn PDF document text
- https://s3.amazonaws.com/midizaxopazeji/function_analysis_system_technique_template.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ec63c9da-50ce-4641-8651-fd38248ef723/memories_bring_back_memories_bring_back_you_song_lyrics.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/44c70e14-c20d-4edd-8025-44d33443f03e/16073262966.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_012_off0008b39f.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8B39F | 17300 bytes |
SHA-256: 7edfa4187ec35a1fa57f85114d0b960ed0fb5a6edfeb2e96d0ec37f1488b99e0 |
|||
font_00_sfnt_off0008414e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8414E | 9360 bytes |
SHA-256: 636cdb89d32245b2ffd80c081b6c064f311caffe178f18639245870c4977a1cd |
|||
font_01_sfnt_off00085fcb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x85FCB | 5592 bytes |
SHA-256: 33511f0b00c376970628c4d99277b97b62dae2d5a0f8f52d57db33cc8a7ac225 |
|||
font_02_sfnt_off000872eb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x872EB | 23264 bytes |
SHA-256: d4c88c336f7a2d7442917a64059f71c0ddf8e35e43f8a1fa11908f454d0c29a0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.