MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm or phishing campaign. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs and the heuristic firings point towards a phishing attack that likely aims to redirect users to malicious sites for further exploitation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://smidgel.ru/pbw?utm_term=annexure+c+form+for+passport PDF link annotation
- https://danulezide.weebly.com/uploads/1/3/4/6/134601395/3625237.pdfIn PDF document text
- https://dovoviwum.weebly.com/uploads/1/3/0/7/130776035/kixubidovov_rovixutiref_zinus_gujozuzoguzope.pdfIn PDF document text
- https://lotureze.weebly.com/uploads/1/3/1/3/131379444/fogibupozewada_tetoz.pdfIn PDF document text
- https://jolidanovuson.weebly.com/uploads/1/3/4/8/134868646/9742558.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372980/normal_603d029a03e07.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476285/normal_5ffeb568ee84b.pdfIn PDF document text
- https://tajudazu.weebly.com/uploads/1/3/4/3/134328852/6031214.pdfIn PDF document text
- https://bunozejat.weebly.com/uploads/1/3/4/3/134387809/4591606.pdfIn PDF document text
- https://wusudomujud.weebly.com/uploads/1/3/7/5/137517937/widabazudoweru.pdfIn PDF document text
- https://pofewapat.weebly.com/uploads/1/3/4/0/134018592/mumudotopamaz.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/88ed318c-c3b0-4d82-b506-8f1083c174d5/wrt54g_dd_wrt_firmware_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b70c4ae3-2b06-4044-ad4f-491ad71e23f0/the_river_styx_part_2_recap.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e50823ec-bbf0-4388-ac1b-2a7fcc7fd242/craftsman_27cc_gas_blower_parts_diagram.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1a20448e-e487-4c0a-aa2f-ab4dd9047433/can_i_upgrade_from_el_capitan_10.11.6_to_catalina.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7006456e-025a-4678-8e61-4ef2145b2d5d/looking_out_looking_in_15th_edition_chapter_4.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/27779b82-656c-4525-b7db-8dc17e1f121c/58063592071.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb13.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB13 | 5188 bytes |
SHA-256: 436262fa50c568a5aab2abee76548ddacda0a4cee555cfafb3a0e9fc61e76554 |
|||
font_01_sfnt_off0000fca8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFCA8 | 10996 bytes |
SHA-256: c979eef6687fd59fd7e5283d94a81d14a751ddf0622df57639fe13df533d55e7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.