MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF document that contains a URL pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution. The document body, though heavily garbled, suggests a lure related to a poem, which is then used to mask the malicious URL.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/aws?utm_term=poema+en+lengua+maya+y+espa%25C3%25B1ol+corto
- https://static.s123-cdn-static.com/uploads/4466379/normal_5fc5b12290c81.pdf
- https://cdn.sqhk.co/dabozijide/hbhefc0/zuwolotofeminisezeg.pdf
- http://piredvizhnik.com/how_to_stop_hp_printer_printing_test_pageuxpef.pdf
- https://static.s123-cdn-static.com/uploads/4373770/normal_5fed9646816ae.pdf
- http://wexypay.icu/lopatodojufogefeporuwujanvqzum.pdf
- http://hurleyshamburgers.com/pogalalotatanixudukezutnu1dx.pdf
- https://cdn-cms.f-static.net/uploads/4446497/normal_6040a5c099e9c.pdf
- http://imedo.ru/yin_yoga_poses_for_sleepao1kx.pdf
- http://rezotu.xyz/is_the_landlady_by_roald_dahl_based_on_a_true_storywhep8.pdf
- https://cdn.sqhk.co/tikisudolo/331PKof/60636631958.pdf
- https://cdn.sqhk.co/zifixanuk/jaiijgs/rarivelofalelagu.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/fonazuzixagizir/sogixipof.pdf
- https://435a888a-8f80-410d-aa77-77edd6e4491d.filesusr.com/ugd/51fec0_2a85962f2ae64864a02b5e4bfef5f927.pdf?index=true
- https://s3.amazonaws.com/pewebopufupe/backcountry_gear_guide_2016.pdf
- https://s3.amazonaws.com/kelukakeb/91986770041.pdf
- https://uploads.strikinglycdn.com/files/c9a8d4ef-e739-4876-af66-378f140859d6/vasiteka.pdf
- https://uploads.strikinglycdn.com/files/01e8b0a6-b4c8-433a-ac03-e40471195485/56306531600.pdf
- https://uploads.strikinglycdn.com/files/d0034f0e-717b-41b7-bde7-6bfe2b2d2173/19524604344.pdf
- https://814cba0f-f649-4223-bfe6-7884e6e02b9d.filesusr.com/ugd/c1108c_fe657f1c45a84af3a65b9e8f567f1b10.pdf?index=true
- https://s3.amazonaws.com/xutomoxu/sasibijilipopaxaw.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fc9f.binfe22fa67ddc44095f320765f36e06974dc5a5ecb8d194195bcefa3f5c846d09f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC9F | 5568 bytes |
font_01_sfnt_off00010f3f.bin066b53e87d3f44f4d6bf796a5339f683f0d5ec4ae8fe70214182dc4491896c59 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10F3F | 12704 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.