MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/wix?keyword=lake+nehai+mo+homes+for+sale PDF link annotation
- https://cdn.sqhk.co/duravukikemo/hhPshfM/71277672986.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4410441/normal_600d03aac840c.pdfIn PDF document text
- http://jamotovoxut.mywebcommunity.org/27382228985.pdfIn PDF document text
- https://cdn.sqhk.co/kotafuli/iihdvge/5283706437.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4412895/normal_603f23e7481b8.pdfIn PDF document text
- https://cdn.sqhk.co/moturira/jf7idgR/68653074132.pdfIn PDF document text
- https://cdn.sqhk.co/fojevimexu/ib8JWgg/ios_comic_reader_app.pdfIn PDF document text
- https://cdn.sqhk.co/lelabepena/qDJaifA/war_of_destiny_android.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4480758/normal_604da66ebd944.pdfIn PDF document text
- http://bikelumonekodex.mygamesonline.org/3936110165.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486041/normal_6063a70de1835.pdfIn PDF document text
- http://nenodipemuxok.mypressonline.com/bodybuilding_over_50_workout.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://995be609-08d3-41b1-a6c0-90e53670bcec.filesusr.com/ugd/9988e1_edf2a9a357a443c4a0ef6fb11d332b9b.pdf?index=trueIn PDF document text
- https://f37c3615-20b0-4e70-b1e7-2acf34113780.filesusr.com/ugd/1e533a_37ade09ba29a4e498a2c30da25c9ba2c.pdf?index=trueIn PDF document text
- https://5053e88e-9e18-4719-890c-32a1cca0295d.filesusr.com/ugd/411503_3aca4249a476489bb8e79fe4b1c08e90.pdf?index=trueIn PDF document text
- https://a5fc3680-5c08-4cda-bd6c-abaa3bdf25bc.filesusr.com/ugd/ea5d7b_c23c4bc19b6945fd82f1873494567c04.pdf?index=trueIn PDF document text
- http://nanaxidimidi.atwebpages.com/berkshire_hathaway_business_model.pdfIn PDF document text
- https://80c8fd16-4cf8-4f9f-b52b-d6c956df8f3b.filesusr.com/ugd/1a94e8_448a66ac42104116adddc638e18bcea5.pdf?index=trueIn PDF document text
- https://e79dab91-b8ca-4f03-a7cf-74564eaa1d8a.filesusr.com/ugd/009cd4_765bc79d6ee54fe6b84d9ec9dde39892.pdf?index=trueIn PDF document text
- https://a49a6154-edc8-4132-95a2-c7bb8d673fe9.filesusr.com/ugd/551169_8e8c628e40af4044990850068ebfa8c1.pdf?index=trueIn PDF document text
- https://147762ec-90f0-4523-8579-43cb3cd17c82.filesusr.com/ugd/6c48b9_90da62597dad4c7ab8a5de97e1a15117.pdf?index=trueIn PDF document text
- https://ba739632-11db-41f7-a023-683a20e55d36.filesusr.com/ugd/99835b_0cb6a5b01bbb4e529fee30d357c7fe08.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f31e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF31E | 4720 bytes |
SHA-256: c017df9ae510c987464af4fc3814ca0a5bf2b8752b2121be3148b081c03d472f |
|||
font_01_sfnt_off000102e9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x102E9 | 11168 bytes |
SHA-256: e7a5b754967c0b2ff452f9e52cc98ff9024dea20f4f1536de4786106ea7d654e |
|||
font_02_sfnt_off00012877.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12877 | 4324 bytes |
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.