MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was identified as malicious by ClamAV and an ML classifier. It contains a large number of external links, many pointing to disposable hosting, suggesting it functions as a link farm. One of the primary URLs, https://jumiwimov.ru/strik?utm_term=business+swot+analysis+pdf, is embedded within the document's text, masquerading as a business SWOT analysis to entice clicks. No scripts were extracted, but the extensive link farm behavior and the malicious verdict indicate a high likelihood of distributing further malicious content or leading to phishing sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/strik?utm_term=business+swot+analysis+pdf PDF link annotation
- https://satizivuzaked.weebly.com/uploads/1/3/4/3/134383512/vabizezizob-wodadidujux-pemal-kalemud.pdfIn PDF document text
- https://sexanugujox.weebly.com/uploads/1/3/4/2/134266496/4061265.pdfIn PDF document text
- https://maselevajaf.weebly.com/uploads/1/3/1/3/131398143/2872377.pdfIn PDF document text
- https://juposuwidamad.weebly.com/uploads/1/3/1/4/131406248/5799798.pdfIn PDF document text
- https://litodamun.weebly.com/uploads/1/3/4/7/134710511/142548e76cbe.pdfIn PDF document text
- https://wabezapodila.weebly.com/uploads/1/3/1/4/131437306/3876466.pdfIn PDF document text
- https://movediwifed.weebly.com/uploads/1/3/2/6/132695881/6300590.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7e4a05ae-7c03-42bb-b06e-2fb5ce91bd57/corporate_social_responsibility_and_shareholders_value.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d339e24c-a36a-46c2-85ef-8113dcf24ceb/wedunixorifekufafemize.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/60e19679-0c24-48d1-9be2-e0062c4254fb/58572019961.pdfIn PDF document text
- https://s3.amazonaws.com/jajoxulabojaso/14873329293.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6f3903bd-a892-45fa-b864-85001d6821d2/bujomipe.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f362cb26-2337-475b-9dd7-20e1303c0bb3/super_mario_3d_land_walkthrough_world_2-3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e2bef82c-bb20-4a30-abad-4e4a2fcad2b3/10491207197.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d49ea80d-5bfe-4c34-ae2e-2bb5021e328a/what_are_the_types_of_report_writing.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/637c2994-eaa8-412a-a254-c3501fd340bc/how_to_get_a_replacement_safeway_club_card.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9362f2c6-338c-457b-8277-4c1b748bac4d/34850174794.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ab94146b-623a-442a-998e-a4afc4633a54/how_to_write_an_introduction_for_a_research_paper_5th_grade.pdfIn PDF document text
- https://s3.amazonaws.com/buwosevax/storm_kings_thunder_guide.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/87a2e0e4-612f-4faa-bcbd-e5c6426eb952/how_to_search_keywords_in_quizlet.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb8c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB8C | 5184 bytes |
SHA-256: 8fe7821d3652a58c01a1e36780dadad3fa00604f1a077a45b302a8b4d466a188 |
|||
font_01_sfnt_off0000fd65.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD65 | 10256 bytes |
SHA-256: ff23f8f6724f95e60c7de7d4a00ffb832ed765e601c0bf71615830e1e0802063 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.