HTML page contains obfuscated javascript
Connects to several IPs in different countries
Detected hidden input values containing email addresses (often used in phishing pages)
Detected suspicious crossdomain redirect
Found iframes
HTML body contains low number of good links
HTML page contains hidden javascript code
IP address seen in connection with other malware
Invalid T&C link found
JA3 SSL client fingerprint seen in connection with other malware
No HTML title found
PDF has an OpenAction (likely to launch a dropper script)