MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9986
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/wix?keyword=setting+apk+ios PDF link annotation
- http://topdiscount.pro/xolenufe0qvxb.pdfIn PDF document text
- http://barcaporirternet-interbank-pe.com/how_to_remove_lint_filter_from_samsung_washing_machine6skvo.pdfIn PDF document text
- http://sokolov.fun/weather_live_map_omanxpqc4.pdfIn PDF document text
- http://rodina38.ru/the_sign_of_four_book_coveridhig.pdfIn PDF document text
- http://potolkilife.ru/giriwibemop75b7.pdfIn PDF document text
- https://cdn.sqhk.co/panazomuv/gfv5eie/telegram_download_app_android.pdfIn PDF document text
- https://cdn.sqhk.co/pibexezases/igyiije/horror_hd_wallpapers_for_android_mobile.pdfIn PDF document text
- https://cdn.sqhk.co/xurajalijok/bHiidig/adventureland_farmingdale_hours.pdfIn PDF document text
- http://shtangye.xyz/nikinunaxuwotia3a.pdfIn PDF document text
- http://fredo.run/fuduputabetovajebapifaws6g3m.pdfIn PDF document text
- http://filemarker.store/whirlpool_cabrio_platinum_washer_cold_water_not_working05t2g.pdfIn PDF document text
- https://cdn.sqhk.co/loberutebe/2S3hggi/591392391.pdfIn PDF document text
- https://cdn.sqhk.co/tuturuno/hdgijaV/wrc_the_official_game_apk_uptodown.pdfIn PDF document text
- http://spiritstudio.ru/zugimibupuv9toa.pdfIn PDF document text
- https://cdn.sqhk.co/zibomevuguli/bgghiic/joratalakolefagijik.pdfIn PDF document text
- https://cdn.sqhk.co/vidikusupegu/ijdidEN/jarilebes.pdfIn PDF document text
- http://gatorama.fun/best_digital_tire_pressure_gauge_presta1x9v1.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_6c0ec76c906f4a4c97c4b73a1c839925.pdf?index=trueIn PDF document text
- https://78bdfa25-736e-4945-a764-db21511aacb9.filesusr.com/ugd/9bd82e_e42365f5971c4e60969d225f52ff6b39.pdf?index=trueIn PDF document text
- https://7162f0c1-3bb2-4775-9ad2-1e34613fb889.filesusr.com/ugd/595093_aec1364490894d76ae3930d0642c1aae.pdf?index=trueIn PDF document text
- https://2d2b1dae-c014-4902-97e6-c3f1d56915cd.filesusr.com/ugd/70e5f7_f6b36a46784e4e7a89c9c3ea345568b2.pdf?index=trueIn PDF document text
- https://627ea4a7-3f28-4bf3-8c99-6a9da7dacf48.filesusr.com/ugd/1970e2_5fe634abae264811ba45e71e5e71b3fe.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ef20.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEF20 | 3304 bytes |
SHA-256: 7c54c13321a22b13e8c8cf75e560e9151677e82cfd7fb4553fa360d909f90a16 |
|||
font_01_sfnt_off0000fb05.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB05 | 4812 bytes |
SHA-256: dc915845b0673724a6f6bd749abee9f1e986cbfdd7a92455d1dae77d813297db |
|||
font_02_sfnt_off00010b70.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10B70 | 11532 bytes |
SHA-256: d4fd29bd2a6bee4223f48559f82b2fb5520f93db41976b06521d8423f6ecfbc7 |
|||
font_03_sfnt_off0001324c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1324C | 16192 bytes |
SHA-256: 75ae46b37e824a31f3d2919be60c52daf1ed383ea62173cd6befebe04d4d68f2 |
|||
font_04_sfnt_off00014759.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14759 | 4324 bytes |
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.