MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which are to a single domain, suggesting a link farm or SEO abuse. One of the embedded URLs, https://pelibifir.ru/strik, is flagged as unknown reputation and is likely malicious. The heuristic 'PDF_SEO_LINK_FARM' and 'SE_PASSWORD_ARCHIVE_LURE' indicate the document's intent to trick users into visiting malicious sites or downloading further malware. ClamAV also detected this as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9951
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/strik?utm_term=what+applications+can+agarose+gel+electrophoresis+be+used+for PDF link annotation
- https://sofupikibir.weebly.com/uploads/1/3/5/3/135302021/bavega-keliwifobofezi-vawoni-tizadezotibo.pdfIn PDF document text
- https://nefolebar.weebly.com/uploads/1/3/4/4/134400051/ae5a1.pdfIn PDF document text
- https://ponefapu.weebly.com/uploads/1/3/1/6/131637257/bed01af0a1ec.pdfIn PDF document text
- https://kalogipewaga.weebly.com/uploads/1/3/4/5/134595512/fef5795329b.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/6c2b71ea-f008-48a3-89d0-3b4a865bb0f4/kesodep.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0195ec2b-2457-4c1d-8692-35023ea8ee7f/us_army_recruiting_center_las_vegas.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/80a28803-4e02-4250-b932-b9c3a4e8075a/singer_sewing_machine_model_4562_parts.pdfIn PDF document text
- https://s3.amazonaws.com/salade/6_times_tables_printable_worksheets.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bc03a6e9-bfe1-4f86-bfcf-9b1ba57fe319/love_story_books_for_adults_tagalog.pdfIn PDF document text
- https://s3.amazonaws.com/nitizobuv/intermatic_incorporated_light_timer_instructions.pdfIn PDF document text
- https://s3.amazonaws.com/piwupevivotixi/glossaries_worksheets_for_year_1.pdfIn PDF document text
- https://s3.amazonaws.com/perurulexi/linksys_e8350_default_password.pdfIn PDF document text
- https://s3.amazonaws.com/lusabifef/94313501380.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5e9cb3f1-d4a6-4172-9e9e-0407ece314dd/jatubareboxa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/26c80f16-d112-42fa-8658-29172133bb51/19759424877.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eab7106d-2914-489f-ba51-29541b270805/wordly_wise_3000_book_7_lesson_7_quizlet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/404f36e0-21c8-4fe6-b897-9bdac072c046/how_to_hack_lorex_dvr_admin_password.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8dd4a299-c02a-4695-8c6f-35d31d075aff/live_candlestick_chart_indian_stocks.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/89c69678-4951-4cf1-978c-c10b4f182702/adobe_premiere_rush_cc_cost.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/64c5bd0a-9607-45e2-83f6-7e255d6317b2/oster_turbo_a5_2-speed_clipper.pdfIn PDF document text
- https://s3.amazonaws.com/sakaburepagase/hp_officejet_pro_8620_printhead_cleaning_kit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cce60e03-c102-47e4-8fae-f9743b2671a5/2008_ford_escape_xlt_transmission_fluid.pdfIn PDF document text
- https://s3.amazonaws.com/zufojadibi/fijonaf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b0ecf88f-2153-4f78-9a7e-523b18a1d499/larousse_gastronomique_book_price_in_india.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/461017ed-b8f2-4c1c-af5c-ff2e480ac9ae/65296092074.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6fe35e5c-60a3-40dc-a040-85a62e56e617/87475172698.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010b4c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10B4C | 5452 bytes |
SHA-256: 5b984a18a4db1868fff6aff2a53cd488cce9142bce16dd693281e43db8c4a9a9 |
|||
font_01_sfnt_off00011dc2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11DC2 | 11724 bytes |
SHA-256: e5b57eed46454f9507bd4f2ec2db5c17369627606e6280653e315bc64b902e6f |
|||
font_02_sfnt_off00014596.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14596 | 4324 bytes |
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.