MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, many pointing to disposable hosting, indicating a link farm for SEO manipulation or phishing. The embedded document body, though heavily obfuscated, contains text related to personal finance apps and the wkhtmltopdf tool, suggesting a lure. The presence of a critical ClamAV detection and a high ML score further support its malicious nature, likely for phishing or distributing further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/strik?utm_term=mejor+app+para+finanzas+personales PDF link annotation
- http://vuvuga.xyz/4411188131404mrw.pdfIn PDF document text
- http://aov.one/euro_truck_simulator_2_product_key_2012tc72p.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://5984e891-aecd-43e6-866f-efdb297c9c35.filesusr.com/ugd/403565_00f2ae9e9eb241a79b2fdba1457cc1fb.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/290186c5-6eb4-42ec-8da9-21587330c5c2/hp_laserjet_m1212nf_mfp_scanner_driver_mac.pdfIn PDF document text
- https://s3.amazonaws.com/paropabaru/sozob.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e7be00e3-2716-4d80-85cb-4663397ef514/lockpickinglawyer_gun_vault.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6faa6f2a-6786-4b91-b15d-8b86a639732f/honda_2600_psi_pressure_washer_pump_replacement.pdfIn PDF document text
- https://37991ae0-d72b-4ccf-bf90-288dedd591e7.filesusr.com/ugd/041b56_f873acbb983a402586c3612181a5c4fb.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c5ca65a5-7cee-4844-8670-5fd528ac3f05/basic_chess_moves.pdfIn PDF document text
- https://e114ad41-1367-46fe-a5fd-427bf640f69d.filesusr.com/ugd/a63c55_3f4f471a2da14d7999b558e9fbc5c392.pdf?index=trueIn PDF document text
- https://fccd5518-64e1-462d-9dbe-8d8d8a19ca7a.filesusr.com/ugd/eb005d_e30df31bc53e447b89cc76a116ca153e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/67b94bbf-05c6-48b3-b13e-431c75d44c16/never_eat_alone_chapter_summary.pdfIn PDF document text
- https://d04c2b29-3777-4fe6-aaa9-ab96f87c3324.filesusr.com/ugd/43eb95_54843d2b69624ad5b384b3a43d1a288c.pdf?index=trueIn PDF document text
- https://d86ad34a-7df2-4f47-937b-a12ab5abc0fa.filesusr.com/ugd/8cbfce_82002ce8139745d9bc98847ffd3e555b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/nopomewegobij/state_compensation_insurance_fund_payroll_report.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2fbb8f74-3566-4380-9c51-490c21b3b87a/algebra_and_trigonometry_10th_edition_larson.pdfIn PDF document text
- https://s3.amazonaws.com/begijufadi/paxutinujozaviwasaze.pdfIn PDF document text
- https://bcbc83ff-a82b-4234-bf1d-c69e8cae54d5.filesusr.com/ugd/057c82_a09c9e1aa2f6416c81046bb7b1f99e4a.pdf?index=trueIn PDF document text
- https://c46c713f-5e69-4c64-aad4-d86f29440f76.filesusr.com/ugd/957c7b_cd43f72dd87a4214831d16ffa8e0d527.pdf?index=trueIn PDF document text
- https://72858ab8-d36f-4bc2-b208-e5ec56e76d01.filesusr.com/ugd/3a4e0e_89422d257fe74947a5ab9b2396c74b5f.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cc4bf943-eb21-4403-9c0f-fc67c00c0036/fosapividilokofere.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c63f83a0-ec94-411e-8931-823597c6fca3/2004_dodge_ram_1500_fuel_pump_pigtail.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ead8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEAD8 | 5028 bytes |
SHA-256: 26ee79d5c3663205e6e9274c5868fca35af77395ae3f99c5dfb15ddc93315624 |
|||
font_01_sfnt_off0000fc19.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC19 | 11812 bytes |
SHA-256: c7937c4d02999943d93e73cb7a531d379762b5caf23fda2b72691315a977c619 |
|||
font_02_sfnt_off00012219.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12219 | 16060 bytes |
SHA-256: 74c25351ceab73455d1891ea470fad3788f7d91d7dd2aa15ed54b0feca07d747 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.