MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, many of which are hosted on disposable domains and utilize UTM parameters, suggesting a phishing or link-farming campaign. The document body, though heavily obfuscated, contains references to generator reviews and application metadata, likely serving as a lure to encourage users to interact with the malicious links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9964
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/strik?utm_term=champion+9375+watt+generator+reviews PDF link annotation
- http://xogunajeraxuda.mywebcommunity.org/spreadsheet_functions.pdfIn PDF document text
- https://cdn.sqhk.co/tirabipati/dibihjc/christmas_delivery_slots_asda_2019.pdfIn PDF document text
- https://cdn.sqhk.co/sofizagumup/hbichib/boat_race_drinking_game_video.pdfIn PDF document text
- https://cdn.sqhk.co/fodexuxefeba/ihZjgrF/rainbow_glitter_coloring_book_unicorn_artistry.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369904/normal_6019a767e1a82.pdfIn PDF document text
- http://aduo5.online/video_bts_heartbeat_mv_mp4utwwf.pdfIn PDF document text
- http://podipotekoi.ru/885866097954l3f5.pdfIn PDF document text
- http://potolkilife.ru/brain_teaser_worksheets_for_middle_school91un5.pdfIn PDF document text
- http://believes.space/safosehnme2.pdfIn PDF document text
- http://fazejajogavu.medianewsonline.com/gopro_hero_3_manual_silver.pdfIn PDF document text
- https://cdn.sqhk.co/gawukale/iwhjij1/55470237983.pdfIn PDF document text
- http://vanlit.ru/vizio_sb2920-c6_29-inch_2.0_channel_sound_bar_reviewxn31c.pdfIn PDF document text
- http://rowowevu.mypressonline.com/sinusoids_and_phasors.pdfIn PDF document text
- https://cdn.sqhk.co/dexizajifu/dHEjbud/rubenux.pdfIn PDF document text
- http://wusokamojifel.scienceontheweb.net/vikaniz.pdfIn PDF document text
- http://callipakk2.site/android_10_update_for_vivo_v17_proikqpv.pdfIn PDF document text
- http://tamakar.xyz/94115850661p2nhc.pdfIn PDF document text
- http://nesobaka9.xyz/super_smash_bros_ultimate_characterspjt0o.pdfIn PDF document text
- https://cdn.sqhk.co/reretukida/wjjhjZX/wyrmprint_guide_dragalia_lost.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420587/normal_5fe780d1e3c4a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4467586/normal_60344ccbe675b.pdfIn PDF document text
- https://cdn.sqhk.co/jabuvilir/HibOBgc/yellowstone_season_4_episode_1_cast.pdfIn PDF document text
- https://cdn.sqhk.co/tazakabebilo/WrtQXjh/vuvonutitukidabuporumub.pdfIn PDF document text
- https://cdn.sqhk.co/mawodoso/dzhiLhi/busy_works_beats_drum_kit.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4369302/normal_5fde9f64a046f.pdfIn PDF document text
- https://cdn.sqhk.co/lekusovu/jiRYXhE/53876448970.pdfIn PDF document text
- http://claire-irk.ru/macbeth_act_2_scene_3_modern_english1h409.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f8d5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF8D5 | 5784 bytes |
SHA-256: 2ccf97e218eeaf17a63f65dd6405ea7248aafb716942563df45a21bf3a57c90d |
|||
font_01_sfnt_off00010c76.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C76 | 10648 bytes |
SHA-256: 5bc6e9a548c47e7718e9ecc36e19b3ae44c59b5b891c1863a15123f87ee37915 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.