MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF file is flagged as malicious by multiple heuristics, including a critical ClamAV detection and an ML classifier. It employs a social-engineering tactic by luring the user to install a browser extension or update, a common method for credential theft or malware installation. The document also contains a significant number of external links, suggesting it may be part of a link farm designed to distribute malicious content or phish for information.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://leonvi.ru/123?utm_term=chedot+browser+free++for+pc PDF link annotation
- https://static.s123-cdn-static.com/uploads/4391326/normal_5ffffb4a2d4ab.pdfIn PDF document text
- https://xibupitosuxusi.weebly.com/uploads/1/3/1/3/131380094/c208fc944.pdfIn PDF document text
- https://lanufuxag.weebly.com/uploads/1/3/0/9/130969896/ad74329003f0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4487208/normal_6042430e206f9.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://18d8f76e-0bdd-4b96-b744-fee987eed1b0.filesusr.com/ugd/1486c8_9e878517b30a473ebe5dfb70837f8b1a.pdf?index=trueIn PDF document text
- https://299bc67c-4c9a-44ea-852c-18f2d39dca40.filesusr.com/ugd/954c8b_8714a2245b894781b52ea1103e74503a.pdf?index=trueIn PDF document text
- https://6a1e2a5f-c456-4288-b9d5-5378f87870fb.filesusr.com/ugd/076fac_c5ee1f6a3ba849bfa100a3fea907cb04.pdf?index=trueIn PDF document text
- https://feedbc21-cb93-402c-9ae2-3476589645d2.filesusr.com/ugd/f3ecbe_05fc464beb9a49b2ba10a33242237b4a.pdf?index=trueIn PDF document text
- https://dbba0f06-1911-40f0-8c80-a2638c7f81cc.filesusr.com/ugd/b13fd1_b04eba05cbd04d36866b044dda6a9b70.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/boxalewijim/convict_conditioning_2.pdfIn PDF document text
- https://41d9b059-0b17-466b-96e6-f31a3f3e9b19.filesusr.com/ugd/f1ead9_f6c1c8007c5f4251ae8791780936b903.pdf?index=trueIn PDF document text
- https://146c8b6c-0b46-450b-8ed0-b45f1e2a4974.filesusr.com/ugd/b58d21_5a0ba7962ccc49528577ec4b558de4a7.pdf?index=trueIn PDF document text
- https://d4f1f58f-bd44-402a-a4b0-a3aa01e36dbf.filesusr.com/ugd/dffefa_0edc21963bce4fc99a29abdae3195cc1.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/vekodupiwarobi/xukapuratozo.pdfIn PDF document text
- https://s3.amazonaws.com/gumegulaxi/mokezepasoxosubavuzofixi.pdfIn PDF document text
- https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_3114de1d971745a5acdf09a2cf9a6ac6.pdf?index=trueIn PDF document text
- https://6dd05bf8-a32e-4ce7-8057-9a1894012cff.filesusr.com/ugd/4ce960_be6de8c1aa564aeaa1a789f59b4a8429.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe67.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE67 | 5140 bytes |
SHA-256: 3b008c58253e0ca2d814d3136b66099935a4057450f57bce5ef05b024b99d3ee |
|||
font_01_sfnt_off00010fe8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10FE8 | 10760 bytes |
SHA-256: 25b5a664e80bb0fadbfe19e5a0720760992f1a19960a75d1860cd9819f8dbaea |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.