MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'zajinet.ru', which is likely part of the phishing or malware delivery mechanism. The document body, though heavily obfuscated, suggests a lure related to 'sparknotes'. No scripts were extracted, but the PDF structure itself facilitated the malicious URL embedding.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/strik?utm_term=jude+the+obscure+sparknotes
- https://cdn-cms.f-static.net/uploads/4374537/normal_5fdc52fab8720.pdf
- http://healingtunes.ru/noruwazv9nr.pdf
- https://static.s123-cdn-static.com/uploads/4375703/normal_5fcf094c2bef7.pdf
- http://gonzo-3d.com/icebreakers_ice_cube_gum_flavorscqov8.pdf
- https://static.s123-cdn-static.com/uploads/4495240/normal_5fc664def1680.pdf
- http://ketaton.mywebcommunity.org/avalon_astoria_pellet_stove_troubleshooting.pdf
- https://static.s123-cdn-static.com/uploads/4461763/normal_5fe4031b683e6.pdf
- https://static.s123-cdn-static.com/uploads/4454161/normal_5fe1f27e91a3c.pdf
- http://kazaxukiga.getenjoyment.net/sixth_sense_technology_ppt.pdf
- http://zhigina.ru/49457969523gpolb.pdf
- http://trysol.xyz/best_essays_in_slouching_towards_bethlehemvs59u.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://s3.amazonaws.com/dexodekelaseki/napimerekojexavu.pdf
- https://cceb078e-1df6-42b0-9e12-359f30e42f1d.filesusr.com/ugd/e8506d_e9524f1e50d249de972b3ec892c51ee9.pdf?index=true
- https://d5fb4b5d-766d-4e54-ab1c-ecc61d2b7d82.filesusr.com/ugd/b0c8dc_2a2a8bd26de14b52b08c27d8708f1a77.pdf?index=true
- https://ac65beef-1c88-4b01-a948-251493ed82f2.filesusr.com/ugd/09857b_3493862cb75c4e3a82bf9e438f8a23bb.pdf?index=true
- http://somasetowijo.myartsonline.com/mass_moment_of_inertia_of_different_shapes.pdf
- https://s3.amazonaws.com/juzewojavomofew/zufumepes.pdf
- https://e2604e0b-f95a-4acb-b53f-a7db3827b2a1.filesusr.com/ugd/225520_2040717d84414c83828967db2fcb2884.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f5e7.bind6e9d4374a5bc8f403db86fe376fef962d50405144f4f5726a57a873577f8853 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF5E7 | 5156 bytes |
font_01_sfnt_off00010750.bin8cddb22e7f69d89183159e7574d5c6cbd785ea993c5a9ec9e02ba63695be03a4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10750 | 10116 bytes |
font_02_sfnt_off000129b4.bin1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x129B4 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.