MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF document contains numerous embedded URLs and a heuristic firing for a 'ClickFix' social engineering attack, indicating it attempts to trick the user into running a command. The document body, though partially corrupted, contains references to URLs that likely serve as lures or download locations for malicious content. The presence of a large number of external links suggests a link farm or SEO poisoning tactic to distribute malicious PDFs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://cheshuntteamministry.org/uploads/1/3/0/6/130603979/130603979.html#alienware+command+center++windows+10+laptop
- http://mjmallory.com/uploads/1/3/0/6/130639456/9865513.pdf
- http://butjob.com/uploads/1/3/1/4/131406391/a19597ab12ffc.pdf
- http://superduperfuntime.com/uploads/1/3/0/8/130873907/paretaf-daxenidalewata-zuwakomuro-mudafajitebu.pdf
- http://freedomeducation1.com/uploads/1/3/0/9/130969384/5982944.pdf
- http://heltafoodsupply.com/uploads/1/3/0/7/130774968/wajur.pdf
- http://anikah.co/uploads/1/3/1/0/131070722/7658298.pdf
- http://santafestonecutter.com/uploads/1/3/1/4/131437285/5b175a.pdf
- http://kmekravmaga.com/uploads/1/3/0/8/130813757/tidopojoxeduvuju.pdf
- http://andreahart.net/uploads/1/3/0/4/130488754/2d6f5ff0.pdf
- http://emotionalwealthmanagement.com/uploads/1/3/0/7/130739152/5287068.pdf
- http://medicwear.ca/uploads/1/3/0/4/130483062/gawabivevidirumekin.pdf
- http://allerware.com/uploads/1/3/0/8/130813643/mavopuxif.pdf
- http://romanb3.com/uploads/1/3/0/4/130483739/dajenuxabusokot.pdf
- http://dominicluvisi.com/uploads/1/3/0/7/130776033/gutujetutonigaj.pdf
- http://ebrhawaii.net/uploads/1/3/0/6/130621127/d39ea2f997.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005be3.bin7ad74d59c8cd952eb7dd6dc7bec4b3fb40a3c517cb47fa8eea1ee09a6ce8ab49 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5BE3 | 11224 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.