MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple links to external URLs, including one that is algorithmically generated and hosted on disposable infrastructure, suggesting a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to 'technical writing classification definition'.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dugedepap.ru/strik?utm_term=technical+writing+classification+definition PDF link annotation
- http://skywonder.space/4857825520tpukf.pdfIn PDF document text
- http://iminn.ru/bhangra_empire_2009_videohp6tg.pdfIn PDF document text
- http://presalle.xyz/how_to_draw_a_face_from_the_side_looking_upckw64.pdfIn PDF document text
- https://cdn.sqhk.co/punipopi/jaiSjaB/dungeon_x_dungeons_cheats.pdfIn PDF document text
- http://espaceclient-cmb.com/cockroach_factssnv73.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4385214/normal_604fa074f298e.pdfIn PDF document text
- https://cdn.sqhk.co/fubebevukad/jdXicjf/form-_control_dropdown_bootstrap.pdfIn PDF document text
- http://iminn.ru/vocabulary_workshop_level_b_unit_3_v3jw2i.pdfIn PDF document text
- http://olivamebel.com/nitirujuvuditizalixofozuvrbyup.pdfIn PDF document text
- http://chambrehub.xyz/171796063248y692.pdfIn PDF document text
- https://cdn.sqhk.co/zonigita/LmgdjaV/my_cloud_app_for_macbook_pro.pdfIn PDF document text
- http://lessonsonline.site/best_toyota_techstream_cableeljsg.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4444366/normal_6066af0cda75c.pdfIn PDF document text
- http://zoomita.space/85411695972oqr3r.pdfIn PDF document text
- https://cdn.sqhk.co/sakupiraf/ghttENf/zivosiropajebixi.pdfIn PDF document text
- http://brumbum3.xyz/how_to_use_the_roomba_appf62wc.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://efed9c07-4553-4484-a419-1b844d271aeb.filesusr.com/ugd/6f475a_3a111c5c3f4b4140943da40567e59953.pdf?index=trueIn PDF document text
- https://507f79ed-2408-4027-b124-45ed49bded7d.filesusr.com/ugd/2de61b_622e3c0828e34c47bd3b0b3569350533.pdf?index=trueIn PDF document text
- https://bef89f6e-6323-4b84-ad9d-a44490bfcc4f.filesusr.com/ugd/96768c_b8816d686460445da048f86aec145376.pdf?index=trueIn PDF document text
- https://054d5c26-596f-48a3-87a7-0fc79031e5db.filesusr.com/ugd/599026_af00f2c26171456eb0113f86f1b4a906.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ecc6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECC6 | 5324 bytes |
SHA-256: ab58242031f684dc1514d963147cc105fda93297fc9d10dc9b3dcb0fe66efe66 |
|||
font_01_sfnt_off0000feed.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFEED | 10016 bytes |
SHA-256: c67cd2d6e6601e69730f161d47bbeaeab42a8fc4782ad38f2e10d9b822ffef4a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.