MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/wix?keyword=mafia+city+hack+apk+2020 PDF link annotation
- https://cdn.sqhk.co/zodunoxurob/hcjhkia/85103662359.pdfIn PDF document text
- https://bifomika.weebly.com/uploads/1/3/1/8/131856700/mexexokalil-luvalarixe-zuvovulez-mulibuxij.pdfIn PDF document text
- https://cdn.sqhk.co/viwiratoposu/YMggjbL/navneet_rana_party.pdfIn PDF document text
- https://mixowobigasobu.weebly.com/uploads/1/3/1/1/131164278/7586666.pdfIn PDF document text
- https://mapogukokerezat.weebly.com/uploads/1/3/5/9/135987870/6709f18.pdfIn PDF document text
- https://cdn.sqhk.co/ponesigis/ideWJii/gizofaxumep.pdfIn PDF document text
- https://cdn.sqhk.co/ximosufi/idiaif2/lapuke.pdfIn PDF document text
- https://cdn.sqhk.co/mijajijem/fCheemv/20758770615.pdfIn PDF document text
- http://tabekam.22web.org/jepamujudenogojosobemazot.pdfIn PDF document text
- https://lojodisomu.weebly.com/uploads/1/3/4/0/134042672/dijemut_pevogoboxisuju_lujugililikof_zodawo.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/a2698607-2ee5-4882-86b8-7f2932fd82a9/citizen_eco_drive_e650_set_date.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/27e61d8a-c0e0-475f-be38-adc45ab22796/fujitsu_halcyon_dc_inverter_control_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c95f8a5e-6f11-4e3d-bde6-c09554f14503/how_to_show_data_points_in_excel_graph.pdfIn PDF document text
- https://s3.amazonaws.com/sesijesule/sedokuxemarosojor.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1cf7debd-e0d0-42a0-ac00-feb17ceeccaa/fapimofanisuwarilonafaled.pdfIn PDF document text
- https://s3.amazonaws.com/duzexefemosaxe/tumuzonat.pdfIn PDF document text
- http://nusilemil.epizy.com/polakejoganevev.pdfIn PDF document text
- https://s3.amazonaws.com/betefowubevat/game_bear_simulator.pdfIn PDF document text
- https://s3.amazonaws.com/tozaduliwubega/66864494938.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aebd4c8b-4bcf-4dba-b6cb-eaff395010ca/what_is_the_salary_of_sap_abap_developer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d8ec07c3-4a9b-4f9a-889f-805cc2d8048e/69386738539.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9618eb75-fa08-40d1-94a7-a6572db03804/what_is_the_toughest_sql_query_example.pdfIn PDF document text
- https://s3.amazonaws.com/wemazun/32301335588.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b5d9a18-95f7-4a26-b5b2-4e744b53732d/does_ipod_touch_gen_4_have_bluetooth.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ec63.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEC63 | 5240 bytes |
SHA-256: dbb1a8231488f632572543009d3a314e9e6543d94d24a6461d2e9417e25f37fd |
|||
font_01_sfnt_off0000fe5a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE5A | 20736 bytes |
SHA-256: 2c7d717605e6139a575dad80ea79ca5a4c9ce4f8485be51a8216c1226d4bd536 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.