MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially malicious websites. The presence of a URL with a 'utm_term' parameter related to printer issues implies a lure to trick users into seeking support or solutions, leading them to a phishing or malware distribution site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/strik?utm_term=hp+officejet+pro+8600+not+working+with+mac PDF link annotation
- https://cdn.sqhk.co/zirimikuj/RZimhwQ/69332624621.pdfIn PDF document text
- https://cdn.sqhk.co/sebidurubuze/jbehhnT/download_video_from_twitter.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4445731/normal_6018e66fbb1c9.pdfIn PDF document text
- https://sipigatijuk.weebly.com/uploads/1/3/3/9/133999294/3b9ad7300c6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426088/normal_6043789dd2dc8.pdfIn PDF document text
- https://cdn.sqhk.co/tuxonewebuke/jawkLie/tapiwigifube.pdfIn PDF document text
- https://jitezawedum.weebly.com/uploads/1/3/4/6/134688152/kolevizovevejav.pdfIn PDF document text
- https://domisupufiz.weebly.com/uploads/1/3/5/3/135316273/3292733.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4424025/normal_6046adf8e05fc.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4467564/normal_606ccbce7f6fd.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4499002/normal_60329a1be1ee3.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4451566/normal_600817ba8ff69.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/5e877b68-a0d9-4c82-b875-7d730cee7ca6/fedex_customer_service_email_uk.pdfIn PDF document text
- https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_be3ab07c34e8487885ad05ddc065b5eb.pdf?index=trueIn PDF document text
- https://8f0c9b82-9570-4081-bbb7-5e23a534ea09.filesusr.com/ugd/7008f3_4f79d766b3aa4eaa83a727cf0e13746f.pdf?index=trueIn PDF document text
- https://9a4203bb-6ff2-4ef1-9c63-3f113f84a884.filesusr.com/ugd/ea9bdf_39037ea781634f7d85a2b77936ef6659.pdf?index=trueIn PDF document text
- https://b913155d-2712-4fd4-bcc6-651970a8c456.filesusr.com/ugd/e39924_079a26f3be4448fca81a8368b2433522.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/21906eda-ca7e-440a-b1f9-8afe2b9d7d0a/vokigutetumexevavup.pdfIn PDF document text
- https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_2bf640bf4e6946daab9b831d40dfbd8f.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb22.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB22 | 5692 bytes |
SHA-256: 637453c0da42ecc808bb4115f6f47f9e06a43ef05e965f4e5ba4206272c28a46 |
|||
font_01_sfnt_off0000fe67.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE67 | 11072 bytes |
SHA-256: 83ab5e5c0c199c37c4ce8afa3f3c08811782c01cbdc5303bada28584d90ffeda |
|||
font_02_sfnt_off00012455.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12455 | 4324 bytes |
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.