MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains numerous external links, many of which point to SEO-optimized PDF files, suggesting a link farm or phishing campaign. The primary URL, 'https://jacksth.ru/strik?utm_term=how+to+activate+windows+10+free+2020', is identified as an SEO redirector, likely used to funnel users towards malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, consistent with a phishing or trojan distribution scheme.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=how+to+activate+windows+10+free+2020 PDF link annotation
- https://static.s123-cdn-static.com/uploads/4421224/normal_600600b45b790.pdfIn PDF document text
- https://gileledera.weebly.com/uploads/1/3/0/8/130874536/kabavagibiwux_gotafifo_muvaxaxatanoso.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486981/normal_6022326c2b598.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485156/normal_604f80d46ebc5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476938/normal_605ddbf98e537.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4388271/normal_5fde26226af7c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388037/normal_6012e234750c2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4468268/normal_600ea05fe69c9.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4365586/normal_600460720fa67.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4466153/normal_60003b813d09a.pdfIn PDF document text
- https://bivufinemena.weebly.com/uploads/1/3/1/3/131380184/gizowipobowigaled.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4457570/normal_603ea34895569.pdfIn PDF document text
- https://rogupogadagome.weebly.com/uploads/1/3/1/3/131398605/jinumazo.pdfIn PDF document text
- https://menolalosixoj.weebly.com/uploads/1/3/4/7/134714047/a37b476a8675f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4410194/normal_606118f4b15d9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425916/normal_601fd1c77603c.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4401697/normal_5fee9fa71b47c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370985/normal_6015b74727c1d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4413373/normal_5ff1496b186b2.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/667d0031-5093-423f-b39d-9c201c6fafdf/how_to_prune_jude_the_obscure_rose.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9b6005f0-5ae1-4985-88ca-8352daeeab5e/thermaltake_power_supply_tester_instructions.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e56c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE56C | 5208 bytes |
SHA-256: 2f83f5bb70aeb778df830324f776e49cb01665f880019775e0d0e795c561738b |
|||
font_01_sfnt_off0000f741.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF741 | 10780 bytes |
SHA-256: 3ad37852344b43042114a65c4370617dd4ba4018743e57f14f325b5262b445f9 |
|||
font_02_sfnt_off00011c42.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11C42 | 4324 bytes |
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.