MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, identified as a link farm designed for SEO purposes. One of the primary URLs, https://baarspo.ru/wix?keyword=btd+hacked+unblocked, is suspicious and likely serves as a distribution point for malware. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/wix?keyword=btd+hacked+unblocked PDF link annotation
- https://gurawibozogudex.weebly.com/uploads/1/3/0/7/130739732/zeboxojevojuwuluve.pdfIn PDF document text
- http://jekeluxuto.mywebcommunity.org/mirerixawe.pdfIn PDF document text
- http://filozajerezabi.getenjoyment.net/benyamin_aadujeevitham_download.pdfIn PDF document text
- https://wegoboxup.weebly.com/uploads/1/3/4/7/134772399/relikenuvadirez_lukije_safatupowol_nuwenekogafus.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/35447f5f-c606-4cbe-8aef-1039b46d08ce/1992_suzuki_quadrunner_250_carburetor_adjustment.pdfIn PDF document text
- http://zoxutuperovizo.epizy.com/online_performance_appraisal_system_free.pdfIn PDF document text
- http://revugina.epizy.com/25961092838.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/49435cfd-5c58-4161-b3b3-cf3c77dc299b/cuisinart_premium_single-serve_brewer_ss-10_coffee_maker_canada.pdfIn PDF document text
- http://vedudisenor.rf.gd/ashraful_insha_2.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/68c7a485-a3d5-48ee-bb00-997dcc275139/81716390934.pdfIn PDF document text
- http://sidepojedava.myartsonline.com/58088110967.pdfIn PDF document text
- http://kadoxosin.atwebpages.com/cours_javascript_ajax.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dfb47531-324c-42bf-8012-b8f8d1e071d7/81929625204.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/571a7501-bc06-4f34-bb2a-13e8f1ccee56/how_to_use_design_thinking_principles.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/491ce67b-fb84-4d47-99e6-5bcc04c7f732/fender_hot_rod_deluxe_3_amp.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c312e182-af68-42f1-98b1-1c59e32bf23f/alfred_all_in_one_piano_book.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3b30d883-5a24-4573-8ade-d7d327954239/26570213033.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8b6facb5-4133-4b4d-b0af-09309b1c615c/radulajarilikipe.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/968efddb-fd07-49fc-99a3-82c240928369/the_over_40_hormone_reset_diet_main_guide.pdfIn PDF document text
- http://muzowagujojate.rf.gd/66739666424.pdfIn PDF document text
- http://faxanudof.epizy.com/kado_the_right_answer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/58e4fccd-5e1a-45fd-982d-4b50b9506aa6/34343818111.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dcde.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDCDE | 5004 bytes |
SHA-256: 1e302883b66ec3df3b54f14ca5212f4132bdb0c5f3caf9374b1c4839f86a5097 |
|||
font_01_sfnt_off0000ede1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEDE1 | 9824 bytes |
SHA-256: 13581495ac1348aa24536d53a67e9054c405a2a236a919b7cc88a9d38f0d1a96 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.