MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file was flagged by a machine learning classifier and ClamAV as malicious, with heuristics indicating it contains a link farm and a lure to install browser updates. The presence of embedded URLs and the nature of the heuristics suggest a social engineering attack aimed at tricking the user into downloading and executing a malicious payload, likely through a fake browser extension or update. No scripts were extracted, but the overall pattern points to a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dugedepap.ru/123?utm_term=android+messages+desktop+notifications PDF link annotation
- https://static.s123-cdn-static.com/uploads/4496391/normal_5fe550ba867a1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4478132/normal_604b95f2779a5.pdfIn PDF document text
- https://kopiwuzurori.weebly.com/uploads/1/3/1/3/131398237/ribuvegowirep-titeruvokole-dusumuges.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454673/normal_603037521f68b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486201/normal_6043b5ac2a19d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4394077/normal_603c8294e4563.pdfIn PDF document text
- https://bilewazivabo.weebly.com/uploads/1/3/2/8/132816117/kitorijeguzixip.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413121/normal_6063169b436e1.pdfIn PDF document text
- https://nagofojog.weebly.com/uploads/1/3/4/5/134586362/fabobumewikuzufawe.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4480895/normal_5fe50ab0443e7.pdfIn PDF document text
- https://kupikonawu.weebly.com/uploads/1/3/4/8/134882044/7dc826361.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4454668/normal_5fddca561001e.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/fdfacef1-e4cc-4a21-b598-747437712c50/serial_number_cs6_master_collection.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cc63a4a6-b15a-4db5-be9a-27d356d9b4ae/54989171566.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b5250e14-5969-4ca9-911e-3d3842cb087b/mudaxipesibamilejifa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7b46ed8c-1447-4c16-8b87-f50bc16337d9/kurowalojumolujijuli.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/99f38b94-b84e-4b98-a010-c8d9ac531c1a/how_to_sign_up_for_amazon_web_services.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e6d39c35-474a-4101-a2e1-da46f7221395/how_to_use_bowflex_treadclimber.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c817e2b4-b4a9-4719-9bbb-042e36138a98/chandni_chowk_to_china_full_movie_online_in_hindi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1bf3fb04-ea0e-44c8-b7fa-0f8965d7999d/59812187062.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8f42f10e-69f8-4128-8920-1ac5d9910821/65582663617.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1fb08301-e6d8-4c68-b54c-456cfed05b0b/vazuxisela.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/be90d49e-c73f-4b97-80a2-8bc167a8aa26/gukusufosaxakidasezirur.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4613a8ea-8220-468a-8e88-b5a74b65bf7d/movuzisosebojukevofamo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e0e7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE0E7 | 5496 bytes |
SHA-256: dc668d1e45954ed717f936a13b971834aec815162a0413bda33a86bc3461efd6 |
|||
font_01_sfnt_off0000f38b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF38B | 11584 bytes |
SHA-256: 597d5cd63f817327dbd1f57059ea31863177f2941ffe86ea661f41e4da9db147 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.