MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged as malicious by ML classifiers and ClamAV. It contains numerous external URLs, indicating a link farm designed to redirect users to potentially harmful content. The PDF_SEO_DISPOSABLE_LINK_FARM heuristic suggests these links are hosted on disposable domains, a common tactic for phishing or malware distribution. No scripts were extracted, but the presence of many external links points to an initial access attempt via spearphishing attachment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9984
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bologen.ru/wix?keyword=aklys+pathfinder+2e PDF link annotation
- https://cdn.sqhk.co/xatijafuwami/dRlo0wq/79540685619.pdfIn PDF document text
- http://zutumufedige.getenjoyment.net/56638045702.pdfIn PDF document text
- http://wigomufeze.22web.org/tuxikob.pdfIn PDF document text
- https://cdn.sqhk.co/podoxato/KjiOUid/gojujafefimeganus.pdfIn PDF document text
- https://cdn.sqhk.co/tipefima/fDjHijz/word_room_decor.pdfIn PDF document text
- http://nibajafij.medianewsonline.com/business_english_vocabulary_builder.pdfIn PDF document text
- http://fajiriduxir.medianewsonline.com/dobebirin.pdfIn PDF document text
- https://cdn.sqhk.co/buganisazobu/fjf5Shd/sipirotuzavutisux.pdfIn PDF document text
- https://cdn.sqhk.co/vavefamixivi/9kdgjhj/27863149356.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://74269c25-1731-4359-90d4-804f54ef9c1c.filesusr.com/ugd/b5973a_a3a97a48d973464394484889994e95d7.pdf?index=trueIn PDF document text
- https://80820154-e864-4b0c-832b-212b24169927.filesusr.com/ugd/c12414_7137536362ad44988cbd747526553bd2.pdf?index=trueIn PDF document text
- http://ligujizulogi.atwebpages.com/apollo_twin_interface_review.pdfIn PDF document text
- https://c546c886-5aa5-41cc-813f-4ed3e146772c.filesusr.com/ugd/b3e52d_0d3301dea2b042188a2fff1996f1038d.pdf?index=trueIn PDF document text
- https://368051e9-4199-40ea-b9a2-dc6e6f83cb3b.filesusr.com/ugd/6260fe_8d57e8ad1599469983d1d37d9b4b7b5b.pdf?index=trueIn PDF document text
- http://jagutebi.epizy.com/english_grammar_test_intermediate.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/416e7f05-0ea5-4d7f-b6b1-77e65c6df838/72457920096.pdfIn PDF document text
- https://c63359c4-faa5-40af-ad11-254ddd3d100c.filesusr.com/ugd/838c33_aab4d6195b7f4d7abd4abfa725744c68.pdf?index=trueIn PDF document text
- https://ebd73b9a-b255-48a5-b781-2bd84b483b4c.filesusr.com/ugd/956c05_e805024f20514f04a984e57cb3f10a03.pdf?index=trueIn PDF document text
- https://f238abdf-92e3-4651-90df-65b6e8a648d9.filesusr.com/ugd/99965f_65be568e4f8149af815f7b34b52b7e3f.pdf?index=trueIn PDF document text
- https://1ebfeea1-7d02-43b8-8f0a-002c87bc7f75.filesusr.com/ugd/50dcf6_cc6a7e68d2c34887893f600354124aca.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/e3576be5-b2eb-46b5-b125-4f32b278ddaf/42773024399.pdfIn PDF document text
- http://sizilave.epizy.com/kitchenaid_downdraft_electric_slide_in_range_reviews.pdfIn PDF document text
- http://tozibuxadotoba.epizy.com/60886703032.pdfIn PDF document text
- https://53f03ce6-db0b-4f41-9bfc-6956ba41e1f4.filesusr.com/ugd/727e0f_6a90a96f38754248b3079b7febdd4f1d.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00025aee.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x25AEE | 5416 bytes |
SHA-256: 431414ef36bfda720d6f3c66fea75b18a54b29a009f8f4bf1cc70d722ee0202a |
|||
font_01_sfnt_off00026d64.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x26D64 | 11516 bytes |
SHA-256: 27607c3f921f8e25ac744942325edc276e67caaf0d453b649e0f4f187f3b69bb |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.