MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan delivery mechanism. It contains numerous external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, appears to be a lure related to 'ap english literature key terms'. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/strik?utm_term=ap+english+literature+key+terms PDF link annotation
- http://onsideball.info/sza_ctrl_download_full_albumzekk0.pdfIn PDF document text
- http://verification-help.com/sekonic_l-308x_flashmate_reviewq6i5w.pdfIn PDF document text
- http://kisuvok.scienceontheweb.net/52773893099.pdfIn PDF document text
- http://dusejetiwogodad.getenjoyment.net/best_free_to_word_program.pdfIn PDF document text
- http://phrensy.co/norse_mythology_fiction_books_for_adultsee3gi.pdfIn PDF document text
- http://fakixigulidol.mywebcommunity.org/nightmare_before_christmas_poem.pdfIn PDF document text
- http://kevakigev.medianewsonline.com/how_to_change_belt_on_honda_self_propelled_lawn_mower.pdfIn PDF document text
- http://wupidubame.mywebcommunity.org/elements_of_cartography_book.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/fekife/restaurant_management_system_project_report_ppt.pdfIn PDF document text
- http://jozilaro.atwebpages.com/acueducto_definicion.pdfIn PDF document text
- https://dec4a425-646e-450a-80ca-a73a75d058ad.filesusr.com/ugd/ba3095_7f1ef090cd7c44d5834ecbf90b4cd526.pdf?index=trueIn PDF document text
- https://7fd92c66-d3af-485c-b7a9-31529ddfb1b5.filesusr.com/ugd/997d0f_4cf9f6822e6642c5abb4a21b1232a1bb.pdf?index=trueIn PDF document text
- http://zikoliduxa.atwebpages.com/the_boy_in_the_striped_pajamas_book_movie.pdfIn PDF document text
- https://b00f38ea-0d13-4519-ab0f-1253f0d03ca0.filesusr.com/ugd/289c5e_b2a1fcdf2fc54a7da5dade3ce923df56.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/safago/what_is_the_etiquette_for_wedding_invitations.pdfIn PDF document text
- https://9042e326-c85f-44e6-b9b6-0c206471fdba.filesusr.com/ugd/0d2fda_240156e1cf9e4085a709ff4ac1f230f6.pdf?index=trueIn PDF document text
- https://1b53f64c-3596-40ff-86ea-95cec8902569.filesusr.com/ugd/838e7e_0d263c15033d49f1b9d15bd7e067344a.pdf?index=trueIn PDF document text
- http://bowegasobufur.myartsonline.com/funexoxesus.pdfIn PDF document text
- https://s3.amazonaws.com/lerezazo/gopiwivutovasibijerutewi.pdfIn PDF document text
- http://vovojoj.atwebpages.com/17296540918.pdfIn PDF document text
- https://59bb578d-b312-442a-858b-1a1a54b18a6c.filesusr.com/ugd/c79b1c_c8f61351f8814ad398897e5cfb4aa1bd.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/vutame/adobe_premiere_pro_cc_2017_download_offline_installer.pdfIn PDF document text
- https://s3.amazonaws.com/fejakixoweka/company_of_heroes_full_free.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e805.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE805 | 5388 bytes |
SHA-256: 199c0fb75723ee2f675a59ad5e37ac02b21d49e2f54cfbf10a3c32a2bb896520 |
|||
font_01_sfnt_off0000fa40.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA40 | 10592 bytes |
SHA-256: 73e9550eef2bab198a2f99706ae5c15f58337e4e127c726f7fd5f608324e552c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.