MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
T1059.007 JavaScript
This PDF document is classified as malicious and uses a remote support tool lure, instructing the user to install tools like AnyDesk or TeamViewer. The document also contains numerous embedded URLs, suggesting it acts as a link farm or redirects to malicious sites. The presence of PDF_URI and PDF_SEO_DISPOSABLE_LINK_FARM heuristics indicates a pattern of using disposable hosting for link farms, likely to distribute malware or phishing content.
Machine Learning
- Nyx PDF Classifier malicious score 0.8355
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Remote-support tool lure high SE_REMOTE_SUPPORT_LUREDocument instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/award?keyword=does+bose+sounddock+portable+have+bluetooth PDF link annotation
- https://cdn-cms.f-static.net/uploads/4446914/normal_602144eb898a4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4488581/normal_5fd8b1c52950c.pdfIn PDF document text
- https://vuzigalami.weebly.com/uploads/1/3/5/9/135960382/f71c787edbcebf.pdfIn PDF document text
- http://lajulufubugo.22web.org/dizubelumexorotepof.pdfIn PDF document text
- https://mevesazikixewo.weebly.com/uploads/1/3/4/3/134366921/41c6b4eb9b8b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4456663/normal_5fefc6788655f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489255/normal_603369e52e42d.pdfIn PDF document text
- https://kapelivoxiri.weebly.com/uploads/1/3/4/0/134040857/faxutemidupug-nanitarebuwepap-bapajixejos.pdfIn PDF document text
- https://wojumujar.weebly.com/uploads/1/3/5/3/135396772/4030696.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://wexugemo.epizy.com/fazimoromegevomoxal.pdfIn PDF document text
- http://vasikiga.epizy.com/23993193114.pdfIn PDF document text
- http://puloxivomavari.epizy.com/teamviewer_quicksupport_linux.pdfIn PDF document text
- http://suzekusopowe.epizy.com/craftsman_gold_6.75_lawn_mower_190cc_self_propelled.pdfIn PDF document text
- http://nazopagoja.epizy.com/28364901357.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e1f2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE1F2 | 5424 bytes |
SHA-256: d085dc57b703d6f0797be770956e25776bbb4beb22da975c733a2c54c13b1e89 |
|||
font_01_sfnt_off0000f459.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF459 | 2000 bytes |
SHA-256: 7e007db5cc846c4a1f81ff98a6fa0ec978cd378166c495095324491e4272fec5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.