MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://oniceh.ru/pbw?utm_term=como+localizar+telefono+android+por+gps PDF link annotation
- https://jugujepatuw.weebly.com/uploads/1/3/4/9/134900825/3115567.pdfIn PDF document text
- https://duzopuxezofuj.weebly.com/uploads/1/3/1/3/131382696/3790027.pdfIn PDF document text
- https://jukonejidar.weebly.com/uploads/1/3/4/8/134876273/tikax.pdfIn PDF document text
- https://ropababiw.weebly.com/uploads/1/3/4/6/134667017/7478222.pdfIn PDF document text
- https://jisenevezapa.weebly.com/uploads/1/3/4/0/134095859/cc93b3aed6a17f2.pdfIn PDF document text
- https://visimekariluvog.weebly.com/uploads/1/3/1/4/131483525/jejawojuzujed-lapofof-lefom.pdfIn PDF document text
- https://sogazefod.weebly.com/uploads/1/3/4/0/134000298/zugerumafakalu_tawojutitoju_gajawemofejote_nukolap.pdfIn PDF document text
- https://jowiroluka.weebly.com/uploads/1/3/4/3/134336896/65915.pdfIn PDF document text
- https://faripolugariwel.weebly.com/uploads/1/3/1/4/131453512/poder_pijaguvebani_timekusawudipuw.pdfIn PDF document text
- https://mezemefi.weebly.com/uploads/1/3/1/3/131384279/bawavenesej.pdfIn PDF document text
- https://sevezumu.weebly.com/uploads/1/3/2/7/132710575/61373b4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/d26f9bc4-10b1-46ed-b85f-a762ce995275/90224733237.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/376815eb-4ab9-494b-a727-7412016b4058/dell_latitude_e6530_review_cnet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/808d97f3-d378-4a9c-b44a-d96bbc6cfd5e/25893810595.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/055f4a42-3740-4f4e-9386-d7cd3a676662/13_reasons_why_plot_season_4.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/572f7df6-d3aa-428c-82fc-6a2489222311/atlas_copco_compressor_service_reset.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a7afaa2f-6a1b-40c7-96e0-69103d5a21f2/suvonosojinafidikumip.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bb5bce4d-a3ff-4c1b-81c0-aba190062079/intel_audio_drivers_for_windows_7_ultimate_32_bit_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7ace04a1-c23d-4dd3-a24e-f6e87653fd96/42098582130.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8693fe75-3359-407c-8bd6-713ac3dc4894/microsoft_publisher_torrent_mac.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4b9c4d11-5c27-4aa7-ad49-4c2523112185/43544511717.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fd96.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD96 | 5432 bytes |
SHA-256: 975f6e761027f52b015a2a822cf2daf3099726fed6386ef9f18ac0cb525683a1 |
|||
font_01_sfnt_off00011000.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11000 | 12068 bytes |
SHA-256: 837fa9082fafd37a031b9764e31a7e37d2ddc094c9d227196eff9e47c8d83dd6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.