MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample is identified as malicious by ClamAV and an ML classifier. It contains numerous external links, with a critical heuristic flagging it as a PDF link farm. One of the primary URLs, 'https://mezovuduw.ru/wix?keyword=assured+muscle+rub+while+pregnant', suggests a potential phishing or spamming attempt, likely to drive traffic to SEO-optimized content or malicious sites. No scripts were extracted, but the PDF structure itself is used to host these links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/wix?keyword=assured+muscle+rub+while+pregnant PDF link annotation
- http://korecos.ru/703208383755x09u.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4482619/normal_60084dc27f925.pdfIn PDF document text
- http://itfamily.pro/55634887643w7rva.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4452862/normal_5fc6ae9f3637c.pdfIn PDF document text
- http://bloomwithdeanna.com/vertical_corresponding_alternate_angles_worksheet6p22a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4445104/normal_5ff3614722162.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379231/normal_5fe31ba89d122.pdfIn PDF document text
- http://cabinetsly.xyz/62563894475xj08b.pdfIn PDF document text
- http://znalomstvavip.site/historical_events_1900_to_1920dn4tj.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/f6d9a01b-1914-4a02-b99c-8e7e1733671c/what_does_it_mean_when_the_thermostat_says_override.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/07151587-2690-4564-93e3-83b8daf77182/kelelamoka.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2103a5d1-a0ec-4982-a691-f70f50234ee2/e-myth_revisited_chapter_summary.pdfIn PDF document text
- https://s3.amazonaws.com/ritoma/esl_reading_comprehension_test_with_answer_key.pdfIn PDF document text
- https://s3.amazonaws.com/kigavanus/centrelink_forms_mod_p.pdfIn PDF document text
- https://s3.amazonaws.com/timituvupame/87549402509.pdfIn PDF document text
- https://ec75ba9f-29a7-4b73-bb51-4c951d20089f.filesusr.com/ugd/17cde0_aa0e325978034a519e09a26451289d87.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/risalenefazozo/t_shirt_png_free.pdfIn PDF document text
- https://2a4065d7-883d-43e8-a524-7ce9aa4b4e88.filesusr.com/ugd/ccb1c6_48215b95cf0e453382889c6deeaec48b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/bupesejirijejus/festo_pneumatic_valves.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d9a3df9b-275a-4cb3-b6cd-e60f279bf55e/how_much_do_electrical_engineers_get_paid_in_south_africa.pdfIn PDF document text
- https://973697ad-ffa4-4f9d-85cd-0c9d1ea039ee.filesusr.com/ugd/5f5755_cf1a8037e1c245afb68de6c49f1d437a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/bed1ff7e-4b96-4407-8516-7709807f992c/wexiwivusorubutoxo.pdfIn PDF document text
- https://s3.amazonaws.com/jevopemosod/pesibarip.pdfIn PDF document text
- https://s3.amazonaws.com/wulagisi/77004373534.pdfIn PDF document text
- https://s3.amazonaws.com/fadedosi/99452118907.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f947.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF947 | 5708 bytes |
SHA-256: 80abb6b617068e9c5177f61169b5dcd57413e93ddbae155fc13c892c3e5cb8f0 |
|||
font_01_sfnt_off00010c8f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C8F | 11540 bytes |
SHA-256: 850fc7777b30fee915daf1b1c22979746faabf7d27abed0dc287a722e08b44d9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.