MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous embedded URLs, with one prominent URL pointing to a site that appears to be a link farm designed to redirect users to download content, such as 'clash_and_clans_mod_apk.pdf'. The presence of 'utm_term' in the primary URL suggests a phishing or spam campaign aimed at driving downloads.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://chcial.ru/pbw?utm_term=lunch+box+full+movie+download+720p PDF link annotation
- https://static.s123-cdn-static.com/uploads/4410414/normal_5fcf158c4f7f7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4424991/normal_605efe0a4acf0.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://laxujaju.pbworks.com/f/clash_and_clans_mod_apk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa1bb866-fcf3-49cc-bdf9-8d7ff4ddd8d3/57373273986.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd525150-cef0-411d-b53d-8f20b777eca2/bipelexibalulexat.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3a1b014c-f6fe-4000-b783-720b81d72b4a/solucionario_matematicas_3_eso_santillana_serie_resuelve.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/69b8d1c0-4ce0-42cc-985e-40f0345fc00f/24667348720.pdfIn PDF document text
- http://kesowununak.pbworks.com/w/file/fetch/144736827/51053931398.pdfIn PDF document text
- http://lugozamuxika.pbworks.com/f/pssa_training_quiz_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b700fa8f-a333-40df-9869-491842ae8ce7/rinazeguveboja.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b6cfcd5-257e-4db5-95bb-d00742547329/ver_los_juegos_del_hambre_sinsajo_-_parte_2_completa_en_espaol_repelis.pdfIn PDF document text
- http://sojakun.pbworks.com/w/file/fetch/144732186/27544698165.pdfIn PDF document text
- http://naxoxututal.pbworks.com/w/file/fetch/144444060/strongest_dinosaur_in_ark_2020.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/940e03a9-84d0-49d6-847f-b4babee662a7/39739718453.pdfIn PDF document text
- http://sawanixum.pbworks.com/f/english_conversation_exercises_with_answers.pdfIn PDF document text
- http://jebusolole.pbworks.com/w/file/fetch/144590604/what_is_the_theme_of_dork_diaries_9.pdfIn PDF document text
- http://jozeluwofe.pbworks.com/f/relavadasujomadupej.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bc1b15e6-ed66-4794-8c1c-8e744d7df5c0/how_to_pray_the_rosary_pray_for_us.pdfIn PDF document text
- http://mujusevo.pbworks.com/w/file/fetch/144455931/93220382422.pdfIn PDF document text
- http://xugatun.pbworks.com/w/file/fetch/144902463/fiddler_on_the_roof_broadway_script.pdfIn PDF document text
- http://jutopar.pbworks.com/w/file/fetch/144654357/heuristic_evaluation_sheet.pdfIn PDF document text
- http://beratirupo.pbworks.com/f/77375294357.pdfIn PDF document text
- http://fuxijovipa.pbworks.com/f/50999890360.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dd45.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDD45 | 5776 bytes |
SHA-256: c50a3d03ac8ab5c5711e1790f9abe3791c134d355d08b0fe4b9c54813f50b6ae |
|||
font_01_sfnt_off0000f0f3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF0F3 | 10352 bytes |
SHA-256: 31666dd26f0b84ad253f0f01080c90073550a97f3005c92eedeadc5bea32dfc7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.