MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document is identified as malicious by multiple heuristics and an ML classifier, and is detected by ClamAV as Pdf.Phishing.Trojan. It contains a large number of external links, many pointing to disposable domains, suggesting a link farm or phishing operation. The document body is heavily obfuscated and appears to be a lure related to search terms, directing users to a URL that likely leads to further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=how+many+cobs+of+sweet+corn+per+acre PDF link annotation
- https://cdn-cms.f-static.net/uploads/4414501/normal_605d7616f22a4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4497370/normal_60117f6fee9b6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4419630/normal_602837d8458ed.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4499999/normal_5fe30958f1b7f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4496585/normal_5fd12d659ebc5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4394062/normal_6058f326f2c34.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4376380/normal_5feb6000f2f3f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4380082/normal_5ff9e590bbb78.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://s3.amazonaws.com/fibesezati/41381533882.pdfIn PDF document text
- https://0115c081-d8bc-4983-a705-81db93bf1442.filesusr.com/ugd/990402_4f73d6d7f6714eabba94814731d934a4.pdf?index=trueIn PDF document text
- https://c534e673-b245-4a6d-8787-855fe96db707.filesusr.com/ugd/e19215_5bb5d23184704127b9e8035edd3e206a.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/wovedukevikov/cambridge_igcse_physics_textbook_answers.pdfIn PDF document text
- https://c4e42e93-254c-4ba8-b495-737f84002742.filesusr.com/ugd/ddb60a_1249d5ff84fc43b787710785040319e6.pdf?index=trueIn PDF document text
- https://02314edc-d025-420b-9d62-795437f25c47.filesusr.com/ugd/4f0fc1_b8ac2173cd0c4683ae75a6a58bf241f2.pdf?index=trueIn PDF document text
- https://168d2a81-f750-40c6-a653-3787650f980d.filesusr.com/ugd/3bcfef_e4f6834ace7b4596a9a113392a2d348c.pdf?index=trueIn PDF document text
- https://c245485c-e1a4-4c5a-9a2a-c465a95e53c8.filesusr.com/ugd/25f824_ac0680040c35486c8f7e51ca660ca04c.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/sajezife/pak_study_12th_class_book_in_english.pdfIn PDF document text
- https://s3.amazonaws.com/dibedamoka/52949839603.pdfIn PDF document text
- https://832c8a8d-f05d-46e3-9166-97d9de82ace4.filesusr.com/ugd/432509_83777bd57e064814be14e5edb4fb7307.pdf?index=trueIn PDF document text
- https://b8f7bc2e-5f90-466c-a76c-b8215bfdb3ae.filesusr.com/ugd/9717d9_04ad6e1833f04f6c8131645015493792.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/wiremeresegikon/tuxatidaxudutekolaluxa.pdfIn PDF document text
- https://94db4134-5784-44c5-a63d-963e509970fa.filesusr.com/ugd/9c58c5_44f506fbab76468ea2100864f1d88bd9.pdf?index=trueIn PDF document text
- https://12a3aa02-022d-4218-8efb-90aa4388683d.filesusr.com/ugd/6dfd9b_80818961050449f5b26d87d261851a65.pdf?index=trueIn PDF document text
- https://2ac56fc1-f7ee-4366-9cb2-1681469c68ee.filesusr.com/ugd/b914b5_8bebfa5f941b4e18b7822e3acf2d2583.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f489.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF489 | 5164 bytes |
SHA-256: a52610f0ddc365138ac2d6ea993dfbbd1b635a313aac30dfe000e063892d7070 |
|||
font_01_sfnt_off000105fc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105FC | 11220 bytes |
SHA-256: 6ee2163678a0d3ec472841414df618e8ba1799a2a3bb3fafc131983d31591d1b |
|||
font_02_sfnt_off00012c6b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12C6B | 4324 bytes |
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.