MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript, which is a common technique for malicious PDFs to execute code. The embedded JavaScript likely redirects the user to external URLs, as indicated by the PDF_URI and EMBEDDED_URL heuristics. One of the identified URLs, http://mirutte.com/newsfiles/files/34505764167.pdf, is part of a link farm, suggesting a phishing or scam attempt. The ClamAV detection further confirms the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3555
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://mirutte.com/newsfiles/files/34505764167.pdf In PDF document text
- http://boilerservis.ru/uploads/files/rawuwoxuturexudijeb.pdfIn PDF document text
- http://kryotherapie.net/neu/userfiles/file/ruluk.pdfIn PDF document text
- https://bhopalliteraturefestival.com/mpsdp/uploads/files/1285934987.pdfIn PDF document text
- https://bold-iot.com/uploads/files/202109111718412677.pdfIn PDF document text
- https://fruitssupplier.com/app/webroot/img/files/82017443076.pdfIn PDF document text
- http://hidramaco.com/files/files/27429420194.pdfIn PDF document text
- http://turnwealthy.com/ckfinder/userfiles/files/fenegogiwilomut.pdfIn PDF document text
- http://archpiudue.com/userfiles/files/jezorodisumizugi.pdfIn PDF document text
- http://mail-ex.net/userfiles/file/57166702035.pdfIn PDF document text
- http://hoangminhsaigon.vn/@dmin/js/ckfinder/userfiles/files/bukakilorazavetirix.pdfIn PDF document text
- https://suemsas.com/wp-content/plugins/super-forms/uploads/php/files/embl54bcal2l5g7f95dpn08kq2/toxuxegeseferugezazax.pdfIn PDF document text
- http://tvoirostov.ru/ckfinder/userfiles/files/48752544552.pdfIn PDF document text
- http://sage-chem.com/image/files/20210913_221911.pdfIn PDF document text
- https://helicopterleasingservices.com/userfiles/files/niwopavovakubu.pdfIn PDF document text
- https://xnkvinatimex.com/uploads/files/72670155772.pdfIn PDF document text
- http://www.coverseg.com/uploads/ckfinder/files/zowewapijegifiwomuzibaju.pdfIn PDF document text
- http://cu-mbc.com/ckfinder/userfiles/files/11699961190.pdfIn PDF document text
- http://flemingdecal.com/uploads/assets/file/befuzokojefawazos.pdfIn PDF document text
- http://helloslow.com/data/userfiles/files/mebomadelifodipeluxopimol.pdfIn PDF document text
- http://hsaltsj.com/uploads/files/60206787455.pdfIn PDF document text
- https://tiemhoahaibara.com/data/dulieu/files/xokepadifudinagokemes.pdfIn PDF document text
- http://www.yevres.fr/ckfinder/userfiles/files/sobazonudepisezanonuvezez.pdfIn PDF document text
- https://mb-classic-service.de/userfiles/file/jusekovilujuxedetisow.pdfIn PDF document text
- https://akrmedia.no/ckfinder/userfiles/files/21741177268.pdfIn PDF document text
- https://sacc-la-chaux-de-fonds.ch/fichiers/file/kipipazixorenaxewezajugar.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=porque+no+soy+cristiano+pdfPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000bf2a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBF2A | 10928 bytes |
SHA-256: 5930e18c667f61b6df1a4caa12795ec147824675832b61373319c3fe0671f768 |
|||
font_01_sfnt_off0000d880.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD880 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.