MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, many of which point to disposable hosting, suggesting a link farm or phishing attempt. The ClamAV detection and ML classifier strongly indicate maliciousness. The document body, though heavily obfuscated, contains text related to a "basic life support provider manual", likely a lure to disguise the malicious intent of directing users to external sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/123?utm_term=basic+life+support+provider+manual+2015 PDF link annotation
- http://kebotup.66ghz.com/icloud_storage_on_android.pdfIn PDF document text
- http://ionatr.fun/english_grammar_in_use_full_apkfhy8v.pdfIn PDF document text
- http://afracheat6.xyz/war_of_the_worlds_full_movie_watch_online_with_english_subtitles1pqv9.pdfIn PDF document text
- http://instacopyrighthelpteam.com/81989523818l00g8.pdfIn PDF document text
- http://kartaidatodemeleri.com/boss_ve-20_vocal_performer_multi-effects_pedal_reviewnb7a3.pdfIn PDF document text
- http://xiravudes.22web.org/nagagizux.pdfIn PDF document text
- http://yesstore.pro/difference_between_grounded_theory_and_phenomenological_researchhdq9i.pdfIn PDF document text
- http://normab-id.com/citizen_wr100_eco_drive_blackwc7ul.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://1e2e1d2f-e5bc-406e-8ade-c93a3c5db6fe.filesusr.com/ugd/81c7be_002a7f26f5ac4ee5bffc190115da02e5.pdf?index=trueIn PDF document text
- https://45180a89-8b92-4d54-a4c6-cdf0ad6af3c7.filesusr.com/ugd/2b98a3_3622268491094c6991cf5c10fa3b5758.pdf?index=trueIn PDF document text
- https://0aa989e7-076c-475f-bc22-fff5ae310860.filesusr.com/ugd/b44be6_e18c43900ce94904baf20fe701158fce.pdf?index=trueIn PDF document text
- http://lagadasisipas.rf.gd/kisaz.pdfIn PDF document text
- https://28932ed2-21d9-4123-99cb-fcff0aac4472.filesusr.com/ugd/cc089a_0af63d97ec13420ba3c796b93995c8ac.pdf?index=trueIn PDF document text
- https://d6ac5066-27fc-4e71-a07d-b30af50dfe8b.filesusr.com/ugd/934fc3_99241a3369824eaea65e13aeb37dd1af.pdf?index=trueIn PDF document text
- https://e4034479-4ead-418b-af8c-5be8dc72bdbe.filesusr.com/ugd/1e8759_49d019904b8b4d33a035f9ab7b476bab.pdf?index=trueIn PDF document text
- https://40ba1f7a-6e91-49bb-bbb8-dfbb40a2bc60.filesusr.com/ugd/22bf55_d7e7a9fb9670429ea496b47209be80e6.pdf?index=trueIn PDF document text
- https://1de4b56a-3309-4767-83a2-f1bb1ea7c594.filesusr.com/ugd/a6e5e9_f34cda2c0036426b85d4d17ae4b3ae6b.pdf?index=trueIn PDF document text
- https://8569cc17-8b2a-4187-ace0-95b0550b99f0.filesusr.com/ugd/d6eede_4b2b58334249408faea9156f91e80fc6.pdf?index=trueIn PDF document text
- https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_46dbb9264974451f8e6612f2362da9d4.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e6aa.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE6AA | 5860 bytes |
SHA-256: c242b8375f7ed201dcfee91c1514283d51ba60e6fd51b5773f962a296be9b0fc |
|||
font_01_sfnt_off0000fa9a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA9A | 11216 bytes |
SHA-256: 6a615cd4f13c856299e6fa180c706ca5bf4fd454886508be908cff64bcdb88de |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.