MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was identified as malicious by multiple heuristics and an ML classifier, specifically flagged as a phishing trojan. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO spam operation. The embedded URLs, such as 'https://nipisod.ru/award?keyword=bsc+chemistry+notes+in+pdf', are likely used to redirect users to malicious sites or phishing pages. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nipisod.ru/award?keyword=bsc+chemistry+notes+in+pdf
- http://jalazekesofijot.medianewsonline.com/zezipatitosugagezotinuni.pdf
- http://nozumupi.medianewsonline.com/beauty_and_the_beast_screenplay.pdf
- http://kixiwogazu.sportsontheweb.net/hypertherm_powermax_65_fault_codes.pdf
- http://ligugiban.scienceontheweb.net/24_hour_clock_worksheet.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://fedorahosted.org/lohit
- https://2e8e3215-33bf-4fe1-bc67-b38dac560527.filesusr.com/ugd/269bb8_c3e13837f0f04a4ebd46ebfa0d94ffd1.pdf?index=true
- https://s3.amazonaws.com/dowadotiju/attestato_di_conformit_ministero_salute.pdf
- https://s3.amazonaws.com/fedufiporara/sejexup.pdf
- https://ffb80149-315c-4936-8637-e87477b606fc.filesusr.com/ugd/e7410d_700fbfac23f44d0d9f2dd7d177dbe27a.pdf?index=true
- https://uploads.strikinglycdn.com/files/21ced133-1ca2-4f3c-91ab-711e3c17e768/diy_toga_costume_male.pdf
- https://790985df-dfec-4a08-b509-00f37668cf87.filesusr.com/ugd/a421e3_7b975f689fa743cfbc8329596885b3b9.pdf?index=true
- https://5d5ac114-0f0a-40de-8650-bba868657bfc.filesusr.com/ugd/cacfd7_6e9faa289df74c88b4fe09006a261f16.pdf?index=true
- https://b23183eb-b2e5-455e-bc25-91fac1efd10f.filesusr.com/ugd/cc14e4_668133d15202457dab33abbcdceb44e3.pdf?index=true
- https://uploads.strikinglycdn.com/files/67692fd9-7157-4034-9a00-b7fadfcaebe2/computer_systems_a_programmers_perspective_3rd_ed.pdf
- https://uploads.strikinglycdn.com/files/b284f689-d105-43c3-8051-f4ebf4a8a67d/93778631826.pdf
- https://ca6b24e6-01cd-4368-a310-1df05077a315.filesusr.com/ugd/11b39a_410f0d2848ba42e780fda13e808ae491.pdf?index=true
- https://f7cac2f2-528f-490f-9bef-cb2448a877de.filesusr.com/ugd/529ba0_c1a01781fdc94958b4a0ef43338300cd.pdf?index=true
- https://8a7e94d2-1b07-4399-8a7b-cfebf1eb419e.filesusr.com/ugd/e78b77_305d2ff834c74af18886d4243e1012e3.pdf?index=true
- https://uploads.strikinglycdn.com/files/08060b15-9f52-4558-b750-57715ef055e5/65317961566.pdf
- https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_3fcf82c62f21434cb0e2bd2e32414167.pdf?index=true
- https://uploads.strikinglycdn.com/files/acb7c6c7-3704-409a-8a68-ed37021b8417/89956801858.pdf
- https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_9f9237abfe3744b8b31b19f96cacbb77.pdf?index=true
- https://ab25a8b3-4d80-4d4b-93a1-c1347014fa7c.filesusr.com/ugd/8d0191_530d81bad7e24590a42419374766d79a.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e9b3.binff3875b954f923068180769fbbef79f25bd7d5ea173a5c45c838cd25e38824d9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE9B3 | 5304 bytes |
font_01_sfnt_off0000fba4.bin3ec5eaebde275098412d8dff0e1045b52b4c0e5a23abac5807418a6329e69f43 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFBA4 | 3204 bytes |
font_02_sfnt_off0001089c.bin46ca957b37601c45736e9d7b4fb096a50c144bb7aa2166e7c9b43dada4253cf7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1089C | 10736 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.