MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which are likely intended to host malicious content or redirect to phishing sites, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The presence of ClamAV detection and ML classification further supports its malicious nature. The primary URL, https://ponafet.ru/wix?keyword=excel+macro+paste+method+of+worksheet+class+failed, suggests a potential phishing lure related to Excel macros.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/wix?keyword=excel+macro+paste+method+of+worksheet+class+failed PDF link annotation
- http://zitosuganenat.medianewsonline.com/skilled_occupation_list_canada_2020_18.pdfIn PDF document text
- https://jexesatarufo.weebly.com/uploads/1/3/1/4/131437655/xisufanawu.pdfIn PDF document text
- http://giwewigipebi.medianewsonline.com/mcdougal_littell_modern_world_history_patterns_of_interaction_teachers_edition.pdfIn PDF document text
- https://jiburivaduvu.weebly.com/uploads/1/3/4/4/134473865/sanebikafivewa.pdfIn PDF document text
- http://balegetiwep.mywebcommunity.org/design_metrics_in_software_engineering.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/29d02d5f-339f-4bdd-8956-143002efa442/fazuxa.pdfIn PDF document text
- https://s3.amazonaws.com/wazorixekunafob/29592291264.pdfIn PDF document text
- https://a819be37-316e-4347-83bc-b067fb6953c8.filesusr.com/ugd/d5662a_fb7112b0f82744abaf7b93fa20be4ee0.pdf?index=trueIn PDF document text
- https://0dd4521b-3e41-4083-9bcc-807cce03ae78.filesusr.com/ugd/cfe2e9_116b592de6be4674827a55890c3f2712.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/fofeguj/feralis_biology_notes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8d8fc825-7a9e-477e-a097-6072da6d1abb/langston_hughes_salvation_full_text.pdfIn PDF document text
- https://s3.amazonaws.com/zagapaxa/marizalal.pdfIn PDF document text
- https://s3.amazonaws.com/tarizirefevifab/duvivitit.pdfIn PDF document text
- https://s3.amazonaws.com/zowejunef/site_of_formation_blood_cells.pdfIn PDF document text
- https://8319d365-0190-44ee-b2f3-e76f6fd230eb.filesusr.com/ugd/112488_ea8090e7355447a5846f054e350746a6.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/1e38b469-0586-4730-a01c-0f2fe76106e8/ruvixanarona.pdfIn PDF document text
- http://jimomurapujivo.onlinewebshop.net/2008_g35_transmission_fluid_change.pdfIn PDF document text
- https://ad9f1622-e3b7-49db-bfef-326c48fb2104.filesusr.com/ugd/a467d2_4d8443224cff427aa1084faa31475b6b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/pidufozu/56129084430.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e8459f29-0be9-4452-b309-93a478e46a92/como_trabajar_la_inteligencia_emocional_en_primaria.pdfIn PDF document text
- https://s3.amazonaws.com/kovezux/acdc_tnt_guitar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b7dc9e98-589d-49ad-898b-e10eee516556/70547830415.pdfIn PDF document text
- https://s3.amazonaws.com/sikuva/free_bluetooth_for_android_tablet_apk.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000158b9.bin14f827072a32a1814948102f72f0037fedb7694fb05540845c2333532467c6d6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x158B9 | 5576 bytes |
font_01_sfnt_off00016b9c.bind5786002d1336568abdc7ae75c0cdfb8319963e9590b2a2637feca69ed347932 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16B9C | 11648 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.