MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of numerous external links, including a link farm heuristic, suggests an attempt to manipulate search engine results or distribute further malicious content. The document body, though heavily obfuscated, contains a URL that appears to be a lure for downloading a 'candy crush gold bars hack apk', indicating a potential phishing or scam attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9898
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/wix?keyword=candy+crush+gold+bars+hack+apk+download
- https://tetalopen.weebly.com/uploads/1/3/1/8/131857308/foreve-fogol.pdf
- https://cdn-cms.f-static.net/uploads/4402740/normal_6032b8c6504e7.pdf
- https://fedofiri.weebly.com/uploads/1/3/2/6/132681193/dabozomuferubeb_zegeloruz.pdf
- https://jitaginedisa.weebly.com/uploads/1/3/4/3/134324559/zegeledisu.pdf
- https://ketevifut.weebly.com/uploads/1/3/1/4/131453005/6c3a0819f8f1e9.pdf
- https://retezuve.weebly.com/uploads/1/3/2/7/132741149/499330.pdf
- https://static.s123-cdn-static.com/uploads/4478415/normal_5ff7d89324966.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://4ec63ec4-77bf-4499-900e-7c522af20654.filesusr.com/ugd/35bdb9_ae9c9636a8074c87b1e1152f68b78251.pdf?index=true
- https://89f68ddc-9f98-4e60-8afa-3e0ca6603e9e.filesusr.com/ugd/4725f1_94de85eee24047c892981c7e20c7da21.pdf?index=true
- https://uploads.strikinglycdn.com/files/baaf4859-bce6-477c-a048-ef62fe9c45d6/11070763110.pdf
- https://34570882-574e-4d25-8c0e-d8b9b6c2967f.filesusr.com/ugd/cb2bed_38a3152965424ecdaf7bc91a7a96e2c6.pdf?index=true
- https://s3.amazonaws.com/wuvepilamamuse/43826012534.pdf
- https://56a7be67-7dca-40da-a973-69ad719fb73b.filesusr.com/ugd/fedf23_d3f0fecd71d145a6b09cf2932da0fe40.pdf?index=true
- https://s3.amazonaws.com/xijuxosisomuna/89835484152.pdf
- https://uploads.strikinglycdn.com/files/96f2bb0a-cc6f-42c2-802f-1c12d6e11a63/how_to_make_poached_eggs_in_an_egg_poacher.pdf
- https://s3.amazonaws.com/wesezuzuvalirik/sejixosetekos.pdf
- https://uploads.strikinglycdn.com/files/e0e76741-98db-4cb8-b8cc-5cae77f0ec7b/why_my_furnace_not_working.pdf
- https://c948e902-2437-43f3-9f1e-7aaad30688a7.filesusr.com/ugd/464a75_f36d2bbea11347ddaa7274218b9a3590.pdf?index=true
- https://s3.amazonaws.com/wegemebufojafak/3927931726.pdf
- https://s3.amazonaws.com/lomogas/92440483908.pdf
- https://f766a7e9-a0d0-4e3a-bf7c-946d2e8c2ff4.filesusr.com/ugd/bddb96_ceb6f64ffbd645f5aab48a606dd5bad9.pdf?index=true
- https://uploads.strikinglycdn.com/files/07eb5d0d-d403-4eba-b618-15254dc51212/how_to_earn_money_by_selling_notes.pdf
- https://uploads.strikinglycdn.com/files/734a19a1-758a-4792-bbba-0e5b4188ba83/sniper_ultimate_kill_full_hd_movie_download_in_hindi.pdf
- https://e6a48395-9ebc-465e-8505-c4b20d7b8e72.filesusr.com/ugd/81e12b_7bb7b78eb7804dd4a612e8aa863203ab.pdf?index=true
- https://7835c217-6b95-46a1-915a-76cdebae3fe0.filesusr.com/ugd/debfb4_31dfa8f61a3148da8837b094498cdcf7.pdf?index=true
- https://77a80da1-97a3-4b40-ba11-54c6d232eb66.filesusr.com/ugd/39a0fd_241198e64b854fddbc296a60957ac6fc.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011376.binb93edd434f6ee67309498de7f85778de0651032490f7d6488c4967795670e36e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11376 | 5392 bytes |
font_01_sfnt_off000125c4.binf8e20823e8803d827f45e555cfc85ad71ef35312ea2be0dc6e1068091199f8d8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x125C4 | 11376 bytes |
font_02_sfnt_off00014cea.bin5c37151e58b57006fec45205b953024960161fc126972448518f450544b1ac12 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14CEA | 16660 bytes |
font_03_sfnt_off0001631d.bin1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1631D | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.