MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. One of the primary URLs points to 'mezovuduw.ru', which is likely part of a phishing or malicious content distribution scheme. The ML classifier and ClamAV detection strongly suggest malicious intent, classifying it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/aws?utm_term=modern+version+of+midsummer+night%2527s+dream PDF link annotation
- http://rofuxipof.mywebcommunity.org/59118310910.pdfIn PDF document text
- http://astrohelp.space/famous_hashtags_on_instagram_to_get_likesiemt0.pdfIn PDF document text
- http://gejikojaki.scienceontheweb.net/balakirev_islamey.pdfIn PDF document text
- http://xupokaxe.medianewsonline.com/how_to_write_a_good_poem_for_beginners.pdfIn PDF document text
- http://muzhskoizhurnal.ru/the_story_of_oj_instrumental_downloadgg6sm.pdfIn PDF document text
- http://shlifovka-pol.website/what_does_a_page_break_look_like_in_excel67s68.pdfIn PDF document text
- http://jofufunobek.sportsontheweb.net/31553488872.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cf4de027-7369-46c2-bf93-d69cabef2b5e.filesusr.com/ugd/868b90_52d1344220f24432aa60e33ae3a55838.pdf?index=trueIn PDF document text
- https://5e20aa6b-77ef-4f11-9344-5454fb7c649c.filesusr.com/ugd/fb3aa9_cd3530b07b714abdbe38a1006036efdc.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tejuvonixag/variation_guideline_ema_2017.pdfIn PDF document text
- https://a819be37-316e-4347-83bc-b067fb6953c8.filesusr.com/ugd/d5662a_12ac47aa65984fb1ad967fc5972032a0.pdf?index=trueIn PDF document text
- https://c9977776-9e37-4432-9eae-e541147807da.filesusr.com/ugd/bb6cc6_1ffd193e2cd94feea76b407dfa31cfa4.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/pozokimepe/snowblower_chute_will_not_turn.pdfIn PDF document text
- https://s3.amazonaws.com/tevigotu/rilelozuzipa.pdfIn PDF document text
- https://s3.amazonaws.com/warapagefasovi/sowukem.pdfIn PDF document text
- https://s3.amazonaws.com/gogoxowiniza/gateway_dx4860-ub32p_specs.pdfIn PDF document text
- https://s3.amazonaws.com/rebesudanolo/delonghi_oil_filled_radiator_price.pdfIn PDF document text
- https://df1d5e35-4e67-4e57-ba41-6141a32c4ecb.filesusr.com/ugd/c54278_97a9dee8b24442a8a0701154a684d076.pdf?index=trueIn PDF document text
- https://04934832-22f3-474e-96de-b9d593e92251.filesusr.com/ugd/f390e7_96f870e19bc34eb2a2707b90350e163a.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/rirusozo/blizzard_app_slow.pdfIn PDF document text
- https://944bcc21-9f45-42c2-9889-8cf837fa5d1c.filesusr.com/ugd/50f869_b7aa8846050b4e749935f58b80e01c10.pdf?index=trueIn PDF document text
- https://71a0d42b-91d5-4e94-9338-ff69ca8a624b.filesusr.com/ugd/e5d5e5_5642e1aeaf7846ac8d8bcb8aa7f3773b.pdf?index=trueIn PDF document text
- https://53ebb62d-ddaf-432f-8dc3-1f4746653467.filesusr.com/ugd/bbd3cf_4619844985c040b7981cc25cb28f4f1d.pdf?index=trueIn PDF document text
- https://44879a12-c10a-431c-a98a-7de142752d0f.filesusr.com/ugd/bb4607_0322bf30d75647c48049fe42e936b7d0.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011742.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11742 | 5388 bytes |
SHA-256: a750c599852d44c361c0f3bb122cb5225f97b810862468d68b9f137b44472944 |
|||
font_01_sfnt_off00012987.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12987 | 11284 bytes |
SHA-256: 9b5a21c79f18894a3ebcf1e219cb085e5e948fe7d7f920d2fafe0c8b387f8a60 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.