MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The file contains a large number of external links, with one prominent URL being https://baarspo.ru/award?keyword=cashless+payment+system+pdf, suggesting a phishing or SEO link farm attack. The document body, though heavily obfuscated, contains keywords related to payments and the authoring application, further supporting the lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/award?keyword=cashless+payment+system+pdf PDF link annotation
- https://static.s123-cdn-static.com/uploads/4369909/normal_5fcf7283a2c30.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4393035/normal_5ffa31b33776e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365584/normal_602f52ddbc030.pdfIn PDF document text
- https://barobinamad.weebly.com/uploads/1/3/4/7/134756413/nafobam.pdfIn PDF document text
- https://joxukitemubat.weebly.com/uploads/1/3/5/9/135957717/9395069.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413713/normal_605e1b4857fb0.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4417206/normal_5fde7f530c632.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://9e730ba1-499c-413e-9a09-8a81f8121270.filesusr.com/ugd/0a0016_8cac9c3b2cce4774a4ecc68611797ec0.pdf?index=trueIn PDF document text
- https://97e6e6c8-040d-427c-ad66-6ef02350ae38.filesusr.com/ugd/9c523c_0c11f3070b1b4aed815151e10ab7705a.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/dexodekelaseki/36759674726.pdfIn PDF document text
- https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_385608ba01d84c06a9f6ed80073a8389.pdf?index=trueIn PDF document text
- https://cceb078e-1df6-42b0-9e12-359f30e42f1d.filesusr.com/ugd/e8506d_98c3be8835484f618f935881abead586.pdf?index=trueIn PDF document text
- https://07bd7893-a6ec-44d5-90fe-c719e602c0bd.filesusr.com/ugd/aafaff_11392ac8386945a5af4f3ab573c9ae9c.pdf?index=trueIn PDF document text
- https://2559d30b-64cd-4b4d-aaad-e76a675dde99.filesusr.com/ugd/f5a024_9366322cb8394809b507cfbd9e4d01ca.pdf?index=trueIn PDF document text
- https://4de1274e-a26b-4e71-a0d1-d86f0cfee7ee.filesusr.com/ugd/ee4d88_dc1231e1662142998b49bf2caa19d2e5.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/73218e8f-51f5-48ad-a8fa-d299a149e530/76945561624.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a62cdd54-304f-47ba-a528-8f615ffad326/there_is_there_are_countable_and_uncountable_nouns_online_exercises.pdfIn PDF document text
- https://s3.amazonaws.com/sevoga/is_elder_scrolls_online_good_2020.pdfIn PDF document text
- https://01c4c9a3-ee74-4db9-a65d-799443b8dbf1.filesusr.com/ugd/a64c8c_91de52c3babf4c588894febe91b8aa2e.pdf?index=trueIn PDF document text
- https://4ad55601-b8ab-4ae0-bc0e-e90069072326.filesusr.com/ugd/3aca14_b7898fb9c6bc4ac39424f40a3b1f7328.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f21f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF21F | 5192 bytes |
SHA-256: c3de82d1cec51ce7b9758a1d8aad009adbb1d3e3c4e64cc76f96024f7602be0e |
|||
font_01_sfnt_off000103af.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x103AF | 12232 bytes |
SHA-256: 4fa7a1b9303aff789f95c6eba0dd755b0a01d77ec1127c423b58d5dc865a348a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.