MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF is identified as an image-only lure, typical of phishing campaigns, containing a clickable link disguised as document content. The heuristic 'PDF_IMAGE_LURE' indicates a screenshot-like appearance with an action trigger. The document body is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf, not a standard document editor. The presence of numerous external links, many hosted on disposable or less reputable domains, further supports the malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.7360
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LUREPDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 50 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/award?keyword=microbiology+virology+notes+pdf
- http://lixorajepidil.mygamesonline.org/beck_depression_inventory_spanish.pdf
- http://xijulefabogi.getenjoyment.net/kt_tape_ankle_sprain.pdf
- http://rexonina.medianewsonline.com/mary_poppins_cast_2019_imdb.pdf
- http://rolapisi.scienceontheweb.net/how_many_ounces_is_a_small_sonic_drink.pdf
- https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_d17220dfe50d4851b0615becce7c0b1a.pdf?index=true
- https://s3.amazonaws.com/rowubunak/jetaguwaxejefa.pdf
- https://uploads.strikinglycdn.com/files/2cbaaa9d-0fbc-42f2-8fe6-f5d3eb072e78/14059548715.pdf
- https://e26976e3-f089-44cc-a2a6-54bcc6cae308.filesusr.com/ugd/0df15e_9cce16b810a6401f956c8c124826eacd.pdf?index=true
- https://dc6b22d1-fd3c-476a-b8f1-b0505981f591.filesusr.com/ugd/ab5adf_4446e560fd20447a83574d67f5faa384.pdf?index=true
- https://3437305d-a3f4-4f94-9a63-846dd410f5be.filesusr.com/ugd/ffe76b_572461648f5841c0b2f0f2de80beb329.pdf?index=true
- https://e0fa0743-814d-41de-b6a5-47f787911882.filesusr.com/ugd/89d2ef_f366f9dc1c8443dea208d9cfbee7ef82.pdf?index=true
- https://uploads.strikinglycdn.com/files/75773e29-5caa-480f-a61b-3f4009c34873/78354552864.pdf
- https://ecf8b3bd-8201-449f-a39c-156acd88681e.filesusr.com/ugd/97634b_faf17593d9a34711b787f819aa9ec228.pdf?index=true
- https://uploads.strikinglycdn.com/files/dfba9483-5659-4cbd-85ec-f910e0fc1c46/interior_exterior_angles_of_polygons_worksheet.pdf
- https://95fbbc11-640f-4658-acdf-6e09da746871.filesusr.com/ugd/e42ee3_20ecbc02a231439f99ae773fa551cd93.pdf?index=true
- https://s3.amazonaws.com/muvevanepen/how_much_is_a_hoveround_wheelchair.pdf
- http://limoxukuk.atwebpages.com/509018515.pdf
Open this report in the interactive analyzer, or submit your own file for analysis.