MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many pointing to disposable hosting, indicating a link farm or phishing lure. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution campaign, likely initiated via spearphishing.
Machine Learning
- Nyx PDF Classifier malicious score 0.9959
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/strik?utm_term=what+are+key+words+for+multiplication
- https://xudinenudomojuv.weebly.com/uploads/1/3/4/3/134356320/kinefupi-wibanifixok.pdf
- https://jufavufopu.weebly.com/uploads/1/3/4/3/134340263/2157aa4ce.pdf
- http://lezigovedavide.getenjoyment.net/bbg_free_workout.pdf
- https://vukujaxirebes.weebly.com/uploads/1/3/4/1/134108713/kidamixoredukesanom.pdf
- http://nokojatagi.mywebcommunity.org/1590459351.pdf
- https://koxowuberes.weebly.com/uploads/1/3/1/3/131379375/zaxajube.pdf
- http://wodedutipif.medianewsonline.com/wolkenstein_problems_general_physics_solutions.pdf
- https://lidaleteso.weebly.com/uploads/1/3/4/0/134017218/6148150.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/jofunozuzof/kolixojod.pdf
- https://b354d503-40d1-4c97-84b4-bc0b16c12f35.filesusr.com/ugd/8c7d07_67563e37e72041a5b4520c6c984ae818.pdf?index=true
- https://7f1d4f38-7308-4051-b389-b8ed31312188.filesusr.com/ugd/e948c1_085120af42ff478282ec147d6978d261.pdf?index=true
- https://a40b6db0-1679-4e03-879f-ac5827b9aa7d.filesusr.com/ugd/dba42a_250e75d46ddd4210b30dcb601f281101.pdf?index=true
- https://ecab545c-19d2-4654-b6ac-fb8b9749f5ba.filesusr.com/ugd/e5412a_eef1380a4f5b404a9c3cfea9393df135.pdf?index=true
- https://s3.amazonaws.com/suzujewa/workaholism_definition_measurement_and_preliminary_results.pdf
- https://ed7c5604-ec0f-4ae6-9d22-6d534b57d154.filesusr.com/ugd/1d5a3f_6390e0276a1f4577b1539f8497edcb21.pdf?index=true
- https://a161ff94-1a6f-4367-b6f8-8e513a5e676d.filesusr.com/ugd/4c7633_edc3603233e34169822c078916a7e4de.pdf?index=true
- https://fab88ded-2f12-46c9-b6ec-f290036286cc.filesusr.com/ugd/cce69c_1c65f02dd9104863a6a61206f871a5d1.pdf?index=true
- https://ff9dba89-6132-4485-99c2-ace8a2453124.filesusr.com/ugd/c3f59f_d0497c38bc314c09b1e439e5cd283f9d.pdf?index=true
- https://c3a7a64c-5591-430b-94d7-c2eadfdf3523.filesusr.com/ugd/966478_7376390cfc8249aebf83d92616771aa2.pdf?index=true
- https://s3.amazonaws.com/pewebopufupe/action_jackson_full_movies_2014.pdf
- https://s3.amazonaws.com/dalava/hamilton_beach_breakfast_sandwich_maker_with_timer_-_dark_gray_25478.pdf
- https://e905a76e-7bc1-418c-be29-e8eda1603e86.filesusr.com/ugd/3fb32a_5efbaa12bd184fa99da1615666438a97.pdf?index=true
- https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_1313cbab0d54488faebe44cc84dc03a4.pdf?index=true
- https://8f1ef4f7-3f23-41ef-a3d6-4e5873a175a2.filesusr.com/ugd/d318ce_8edadb19554b4709a717f197c389c47f.pdf?index=true
- https://e809654a-a95b-4dbc-a338-24085255a2f8.filesusr.com/ugd/1b6cec_e252c416086b4fec942aa31f87e75466.pdf?index=true
- http://pivimufe.atwebpages.com/79386212283.pdf
- https://s3.amazonaws.com/samopakamefap/cefr_level_test.pdf
- https://8eefcaf3-52f5-4123-8be5-b1f0aaeea45e.filesusr.com/ugd/1d3654_17c9d3565c2747f0b6beb7dcec7a106a.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d8e4.bin32b5c62910d6a1d39dda94ffb2578ac669f6194869b9200b045f9a3e7c946763 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD8E4 | 5664 bytes |
font_01_sfnt_off0000ec1e.bin25732223c22bc83d9a643531d4e3fadfe8618ba5f6551025042e0b78585ecc38 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEC1E | 9788 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.