MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded URLs, many of which point to disposable domains and are flagged as part of a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The document body, though heavily obfuscated, contains text related to search queries, suggesting a lure to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/strik?utm_term=what+is+the+solution+in+science PDF link annotation
- http://krepezh.guru/do_sanyo_tvs_have_a_reset_buttonovs6n.pdfIn PDF document text
- http://tazizinujumijoj.mywebcommunity.org/how_hard_is_the_vision_test_at_the_dmv.pdfIn PDF document text
- https://dorulitonen.weebly.com/uploads/1/3/1/3/131380258/xemiruj.pdfIn PDF document text
- http://zhigina.ru/50_shades_of_grey_part_2_netflixkcbn7.pdfIn PDF document text
- http://nokiwurugibub.mypressonline.com/marriage_biodata_format_in_marathi_download.pdfIn PDF document text
- https://zetodimamewiwek.weebly.com/uploads/1/3/2/3/132302859/sasotuguzat.pdfIn PDF document text
- http://rubolanir.mypressonline.com/tomotuv.pdfIn PDF document text
- https://kelebewo.weebly.com/uploads/1/3/4/3/134359650/belesonomed-gonebizipa.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/5784bfe7-4c90-40bb-950b-6fd43749c1d2/rimapenewufe.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1a136c49-4112-4c60-b080-dee3ba72f4e4/ikea_catalog_2020_request.pdfIn PDF document text
- https://1e8c0764-4a0f-46ab-84a2-5f63a8a44928.filesusr.com/ugd/6a0acf_7b2602e64e4d4c6293b3c8977822c81a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cb772a2e-9a76-4eba-909f-34195715c94e/can_u_get_disney_plus_on_lg_smart_tv.pdfIn PDF document text
- http://buzanuziti.myartsonline.com/structured_clinical_interview_for_dsm_iv_axis_ii_personality_disorders.pdfIn PDF document text
- http://wotidupodugi.myartsonline.com/jinagubigowo.pdfIn PDF document text
- https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_521b1aea836b41fa9df21678f69ecf86.pdf?index=trueIn PDF document text
- https://0dc5016f-38c0-4e11-84f4-4717e3ef4ec7.filesusr.com/ugd/4fd84c_7b71c190483b4420baa63e75081f9f71.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/vosimalume/33130337290.pdfIn PDF document text
- https://09d7e2b9-79a3-4876-9e00-73a1ba4263a4.filesusr.com/ugd/92fcd7_c487c01c14c240a3b52f374453acbbee.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/65e5b623-9e1e-40e5-bb40-60086e558b34/software_architecture_patterns_book.pdfIn PDF document text
- https://s3.amazonaws.com/sirilagewuga/lds_bishop_storehouse_order_form.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ecd0321c-6271-4074-bea4-a1e4fdde6022/how_do_you_reset_a_nuvision_tablet.pdfIn PDF document text
- https://s3.amazonaws.com/tesotiwapax/all_clad_slow_cooker_insert_cracked.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001007d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1007D | 4804 bytes |
SHA-256: 372d1bf308181b4e43da94b337811b15d4a85a3f5fb39d757676192c08bb7b17 |
|||
font_01_sfnt_off000110e0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110E0 | 10672 bytes |
SHA-256: 97783b229856e9699c8e20a2f1c7b08f28864c30960c5eef073e4b179307298e |
|||
font_02_sfnt_off0001358e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1358E | 16132 bytes |
SHA-256: e1c0be1f083949b69301fca371b50a13b2e5d6d7a534d85b46ff30d714689a59 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.