MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains a lure related to the song 'Yankee Doodle' and embeds a URL pointing to a suspicious domain. ClamAV detection and ML classification strongly indicate maliciousness, likely for phishing purposes. No scripts were extracted, but the embedded URI is the primary indicator of compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/aws?utm_term=what+is+the+meaning+behind+the+song+yankee+doodle
- https://cdn.sqhk.co/dojaxeje/jbghiaA/93081646227.pdf
- https://cdn-cms.f-static.net/uploads/4375352/normal_6012fa272619e.pdf
- https://cdn-cms.f-static.net/uploads/4391624/normal_5fdc04c4885ce.pdf
- https://cdn-cms.f-static.net/uploads/4417214/normal_603c5b1cf258e.pdf
- https://cdn.sqhk.co/xixujipum/6gjCeoI/senekexajimitumatevitora.pdf
- https://cdn.sqhk.co/moxoxitij/3gi4xzk/bamofunilokowu.pdf
- https://cdn.sqhk.co/nomevagume/vidicjg/transformers_animated_shattered_glass_fanfiction.pdf
- https://cdn.sqhk.co/vofonowul/gdLjdIC/2nd_grade_math_placement_test.pdf
- https://cdn.sqhk.co/tororukiwuri/g3Vvsjg/hyperspace_yeezy_real_vs_fake.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/d6a1a78b-a9fc-483c-84f5-9bca029aa5d5/new_gospel_praise_and_worship_songs_2020.pdf
- https://uploads.strikinglycdn.com/files/99be9447-79b0-4802-9baa-a4682cf6df03/how_to_community_organize.pdf
- https://uploads.strikinglycdn.com/files/ef64c29a-af02-4842-b944-8aed571b0b84/93221043542.pdf
- https://s3.amazonaws.com/jupoti/megodevufolodemunovege.pdf
- https://uploads.strikinglycdn.com/files/9e20484f-3cb3-4c08-9da3-21c426aab1bd/best_small_business_phone_system_review.pdf
- https://uploads.strikinglycdn.com/files/87a70b5a-fd10-4d2a-bdb0-fc9d85454e68/74457301700.pdf
- https://s3.amazonaws.com/dobesogum/rugajogipufutojotakip.pdf
- https://uploads.strikinglycdn.com/files/766d3529-0375-497a-a916-236028a437b6/are_chai_tea_latte_keto_friendly.pdf
- https://uploads.strikinglycdn.com/files/47d3d373-17da-4b37-8f45-d8a67e4c9e37/towevubereremirorolesif.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e2d3.bin6747ffaeae59297f603bc81e05b10be6f93e3da5f3614eb2e01160970345835d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE2D3 | 5464 bytes |
font_01_sfnt_off0000f553.binc545fe721dc4627c14a60d71f5c2924759568f6417925510d90e2a292c71f8a4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF553 | 10996 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.