MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 User Execution: Malicious File
The PDF document contains numerous external links, many pointing to disposable hosting, and employs a social engineering lure to trick users into installing a browser extension or update. This behavior is indicative of a phishing or malware distribution campaign. The presence of a link farm and the 'browser extension installation lure' heuristic strongly suggest this document is designed to facilitate further malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 0.9965
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/strik?utm_term=oracle+12c+client+installation+on+linux+prerequisites PDF link annotation
- http://smartcoin.design/wurumotakuk7vfxd.pdfIn PDF document text
- http://onesmall.space/the_art_of_taking_action_gregg_krechs8q8s.pdfIn PDF document text
- http://pozuvixa.getenjoyment.net/wovopunoxevumitojitodo.pdfIn PDF document text
- http://xelasurugopu.mywebcommunity.org/22443926185.pdfIn PDF document text
- http://vazagitomis.mypressonline.com/wawakotawuk.pdfIn PDF document text
- http://zizodoroluxonaf.sportsontheweb.net/berichtsheft_vorlage_download.pdfIn PDF document text
- http://nanamojuvimujo.medianewsonline.com/what_was_abraham_lincolns_early_life_like.pdfIn PDF document text
- http://opsnatur.fun/ezi_wire_windscreen_removalp8o74.pdfIn PDF document text
- http://vodoroding.info/blossom_blast_saga_apk_uptodownciw4r.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/f001f406-0c68-424a-a432-66fd50ee0a7c/iso_iec_31000_risk_management__principles_and_guidelines.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d800f7cf-32c4-4b7d-8fea-ee4115c319ff/bedeburikikomunazoxotide.pdfIn PDF document text
- https://d0570615-6cc6-4b78-9a9c-590639bc525b.filesusr.com/ugd/30850e_4633d2d2f9f844849e1afb520cde389a.pdf?index=trueIn PDF document text
- https://46fb9a51-9e16-4ad8-811e-2f7ed01702f7.filesusr.com/ugd/53363c_9358750d98af481480d2fff82a11811e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c07ffba4-2967-47be-9640-293dfe19c86f/kung_fu_panda_legends_of_awesomeness_episodes_season_1.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/14cfea77-53bb-4f0b-999e-c4a322603482/gobasakutusekusozifen.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d1e1095c-da9f-49e5-a8a0-fed473568c24/nubobegiwokezarisemaji.pdfIn PDF document text
- https://e05653fc-386e-4c8b-889d-738aee72c63e.filesusr.com/ugd/62421a_41589cf664114c94a0062d3e0fd9800a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/bebfa0ed-bb9b-420f-a689-503cb214b35e/letefoma.pdfIn PDF document text
- https://57e596f1-a2cf-4e3c-9ba9-dc8e42e7d639.filesusr.com/ugd/1e1da7_c82850391e474699978f7c0bcf94ce0e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/1b6f10c3-5bcc-4b47-92b4-e02edcb8fe55/golf_buddy_l10v_rangefinder_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/61eb41ee-d1ba-49fa-8e50-cb2fcca8d86e/lamborghini_murcielago_2020_precio.pdfIn PDF document text
- https://229c0a76-8cd2-4a6d-ad64-a548a1436bbb.filesusr.com/ugd/f9ed01_569726789ac246ba93fc64e5fe8f5d60.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/dd97bbcf-be95-4c18-accf-0c997e706365/80125636847.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2ae0bcad-5806-4272-a0c1-45388cc345be/77514574857.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa787738-3d87-40d5-a645-c3ede3517206/grafico_mapa_de_riesgos_excel.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9d61a22c-2918-494a-809d-18557441f395/49327586520.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/edfe390b-8714-47d6-8140-b1f67d367360/78103499418.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6a99ab4a-0985-44b8-9e13-b523d05461fb/cappuccino_blast_dunkin_donuts_calories.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000141ea.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x141EA | 5332 bytes |
SHA-256: 57fd1ccc00c2bda1a3666e83910aa43b6254a2b7edafcbaf14ad816cf9005b84 |
|||
font_01_sfnt_off00015426.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15426 | 11520 bytes |
SHA-256: 9be3febe1af6765fbeff27b9a6b7d5023f05f29fb5ea86a404b60f922964e39d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.