MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. The embedded URLs and the document's apparent purpose of directing users to external sites align with phishing or malware distribution attempts.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/award?keyword=silent+words+in+english+a+to+z+pdf PDF link annotation
- https://cdn.sqhk.co/sutexasav/gjgeqde/centrale_sans_light_font_free.pdfIn PDF document text
- https://cdn.sqhk.co/pinufizugal/0Heghhb/kabir_singh_bekhayali_song_ringtone.pdfIn PDF document text
- https://cdn.sqhk.co/puwukuwos/gcxrBu9/36573855122.pdfIn PDF document text
- https://cdn.sqhk.co/vetukalujir/ghy3sij/nuwafupazuturakiga.pdfIn PDF document text
- https://cdn.sqhk.co/pilozarager/hizIjgw/character_creator_3_free_with_crack.pdfIn PDF document text
- https://cdn.sqhk.co/jatizaru/Njjigjg/mass_car_bill_of_sale_template.pdfIn PDF document text
- https://cdn.sqhk.co/birenejar/ncnFLhi/ponufimagelapa.pdfIn PDF document text
- https://cdn.sqhk.co/dukosisevu/jdib4R1/anime_face_avatar_maker_apps.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/6e098252-1c00-4978-83f1-a756cd7137ca/meselanovatedal.pdfIn PDF document text
- https://s3.amazonaws.com/jasadavebaga/information_architecture_web_template.pdfIn PDF document text
- https://s3.amazonaws.com/sinadi/magic_cap_video.pdfIn PDF document text
- https://e25b7b56-d8f7-44cb-9276-56428e53d1cc.filesusr.com/ugd/63f3e8_78666c31597f4cd0a00c817633b61b36.pdf?index=trueIn PDF document text
- https://9e730ba1-499c-413e-9a09-8a81f8121270.filesusr.com/ugd/0a0016_0ed5a2b16e254beea92e5f3250a2be41.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/bulolimepol/72826344791.pdfIn PDF document text
- https://c3a7a64c-5591-430b-94d7-c2eadfdf3523.filesusr.com/ugd/966478_6bff90f2873340acaf92d1d78b9bc181.pdf?index=trueIn PDF document text
- https://041aa876-b65b-432c-96c0-58c8b295a4e4.filesusr.com/ugd/90d19e_32b1529c38a24a2b8a2639276fb12d9e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/7ddf1e2d-d93a-49e5-94a6-83bc3191b3df/what_is_meant_by_psychoanalysis.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01bd96fc-126e-4171-9f63-947721d74fd1/dibufonizasaworiwa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/02a446b5-92b8-466e-b323-bea54b57fa00/fifty_shades_of_grey_movie_plot.pdfIn PDF document text
- https://54d25d35-1219-4e5f-97c3-905e72ea606f.filesusr.com/ugd/6d59ab_bea963e9d9ab4b63bba520e9593c3080.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/novipaliwid/gamecube_emulator_android_32_bit.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ffd9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFFD9 | 5336 bytes |
SHA-256: 9a1b7752b5458ae416af8a8880cec788647aff0e3a9ad4302285ea461fcdb05b |
|||
font_01_sfnt_off00011207.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11207 | 11624 bytes |
SHA-256: 66875d53db315adbe0ff3a16be0654c6af00b7b51e047b63edad8ad03467e3a0 |
|||
font_02_sfnt_off00013929.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13929 | 4324 bytes |
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.