MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a large number of embedded external links, many pointing to disposable hosting services, suggesting a link farm or phishing campaign. The document body is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create PDF documents from web content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pixomot.ru/pbw?utm_term=preguntas+y+respuestas+sobre+el+texto+borges+y+yo PDF link annotation
- https://nolomiwasuwizug.weebly.com/uploads/1/3/4/6/134661688/mapelo_dofadozinu.pdfIn PDF document text
- https://zegadakupoxak.weebly.com/uploads/1/3/4/7/134749069/4548483.pdfIn PDF document text
- https://moganuvutixeku.weebly.com/uploads/1/3/1/1/131163890/6845194.pdfIn PDF document text
- https://dixosupisuboju.weebly.com/uploads/1/3/0/7/130776754/1401267.pdfIn PDF document text
- http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- http://funinupun.pbworks.com/f/second_conditional_exercises_with_key.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e77bf586-842a-4e0e-9cf5-285a7a676e5c/devaniper.pdfIn PDF document text
- http://ririgifavem.pbworks.com/w/file/fetch/144594888/91792331805.pdfIn PDF document text
- http://bofamawetodo.pbworks.com/w/file/fetch/144433572/radunux.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8e26be31-4141-4b68-8199-9d53d0223792/32855355665.pdfIn PDF document text
- http://werinenimuta.pbworks.com/w/file/fetch/144530100/duloraf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6e6fca98-97e6-47af-a3d4-007d0c8e4e29/nietzsche_human_all_too_human_summary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6c27e298-0420-4362-ab24-0b34d9727169/corel_draw_x8_serial_number_and_activation_code.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2ad2777f-6af6-4c80-a669-64297917a657/suxozowuboxagatu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/473011f9-5eba-46dd-ab7f-f5905e0cda00/xatuzemexalovugilemavop.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8df3e9f3-f4a8-4079-bec7-391a1f93495b/11908630752.pdfIn PDF document text
- http://faxamom.pbworks.com/f/dakofakufejotizepogi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/926877e4-3014-491b-b34e-d55c506e0372/english_file_pre_intermediate_third_edition_students_book.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5e79edab-e897-4493-888b-50f8d1042073/lys_edebiyat_el_kitab.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f68394c4-de31-42a0-a879-b7534c8ce20f/ajcc_prostate_cancer_staging_7th_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cec24085-a093-4dac-bcab-552cbba90171/recite_quran_in_arabic_with_english_transliteration.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/85cf0703-ab77-4509-a678-864613985e89/what_is_the_study_of_cognitive_behavioral_therapy.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000103c2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x103C2 | 1604 bytes |
SHA-256: 226bd5aa29336cbeea36adaa23de9bcbf462af96c95180cf9e4e6541895b5f4c |
|||
font_01_sfnt_off00010be4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10BE4 | 5132 bytes |
SHA-256: 760e3c3084acee1466cf6d38e71acbfc5f15c36b57b19cfa0fb64d74cba3e38d |
|||
font_02_sfnt_off00011d69.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11D69 | 12308 bytes |
SHA-256: d6e5190a203e49376b2e84fa66cfb4c21bbf0719d5975568a21b5248854f3800 |
|||
font_03_sfnt_off000144ca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x144CA | 4324 bytes |
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.