MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many pointing to disposable domains, indicating a link farm or phishing lure. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution campaign, likely leveraging embedded JavaScript for malicious actions.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://maypoin.ru/strik?utm_term=les+miserables+2012+cosette+and+marius PDF link annotation
- http://gixipures.sportsontheweb.net/harry_potter_book_6_plot_summary.pdfIn PDF document text
- https://tababara.weebly.com/uploads/1/3/0/7/130739165/vasuxirokinaga_fekakijiliko_rikeralebowonis_xosuzasobolaj.pdfIn PDF document text
- https://duparumiwope.weebly.com/uploads/1/3/4/7/134707207/6cdb66.pdfIn PDF document text
- https://mefifusefom.weebly.com/uploads/1/3/4/2/134266023/2041382.pdfIn PDF document text
- http://vovality.club/gegupetumaxogoluxatita6ov3c.pdfIn PDF document text
- http://ufenmac.com/wokenibexarezojonip34bh.pdfIn PDF document text
- http://metiwizonud.getenjoyment.net/alambique_casero.pdfIn PDF document text
- https://cdn.sqhk.co/sozimelizak/wgcgcBx/spinal_cord_cross_section_histology.pdfIn PDF document text
- https://cdn.sqhk.co/lajawawinu/Mggjdih/fajepidividilasefodosa.pdfIn PDF document text
- http://mosquito.codes/84998870453y1neg.pdfIn PDF document text
- http://tokiridevifo.medianewsonline.com/wu-tang_clan_smalls_songs_youtube.pdfIn PDF document text
- https://tuzokoluxalof.weebly.com/uploads/1/3/1/3/131382257/tomobewokusil-wowomagineruk.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/1b0c9640-0dd5-452d-9336-d63b08add89d/reading_comprehension_worksheets_grade_4.pdfIn PDF document text
- https://8d537faf-e869-4ed9-a29f-988560fab1dc.filesusr.com/ugd/0cce51_c3d88d75cd1c44da872ed326f8b7f756.pdf?index=trueIn PDF document text
- https://3f5765b5-411c-4b28-96d1-a1e3b219bcee.filesusr.com/ugd/ca847e_a5a0c0f7ae584ed88b11702c7e2b5623.pdf?index=trueIn PDF document text
- https://58552d80-c20c-4e4f-99b9-91bedbcc07a3.filesusr.com/ugd/c18496_cd3c23186572433d84a9123e3ec0f64e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/8686f249-a91d-47b7-934c-8c767ebd01e5/what_percentage_of_gdp_is_income_tax.pdfIn PDF document text
- https://c18d9829-3add-4afa-bc87-35007fe3998a.filesusr.com/ugd/70c1ec_3826b50e665a456cacb3127c7eeff121.pdf?index=trueIn PDF document text
- https://87c8fc71-818b-4167-bf0d-2ac3bc49ffd1.filesusr.com/ugd/f9d4cd_0e769f37fe0e4d1b815f08b5a9c2e524.pdf?index=trueIn PDF document text
- http://gipebevu.atwebpages.com/xijomuvusasemorog.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c889a4c7-40fa-4978-a9a2-7889ea666995/namolonetepi.pdfIn PDF document text
- http://xovolefewawex.atwebpages.com/bezakefunutixolunu.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001beeb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1BEEB | 5492 bytes |
SHA-256: 11502e193565377ee2f77e7dda91012f659109b942386ba11e10c71133c5fe83 |
|||
font_01_sfnt_off0001d17e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1D17E | 12324 bytes |
SHA-256: 50b85ce01aa221ea78a5cae18f33b4e5df6e4bfed407edbf825df42e41727b35 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.