MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://crysiq.ru/pbw?utm_term=can+u+make+slime+without+glue', which is likely a phishing or malware distribution site. The PDF also exhibits characteristics of a link farm on disposable hosting, further supporting a malicious purpose.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crysiq.ru/pbw?utm_term=can+u+make+slime+without+glue PDF link annotation
- https://cdn-cms.f-static.net/uploads/4454286/normal_603c1d65516ad.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490950/normal_6064e9da8fb40.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4501659/normal_5fef54ee42c06.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476002/normal_6057192c64ce7.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/e3c0af08-30f2-4317-88b9-98086f035c5b/in_islamic_finance_what_are_the_3_types_of_ownership.pdfIn PDF document text
- http://gulisapil.pbworks.com/w/file/fetch/144730917/mebexazigerusapepezubono.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c07259ff-348e-4300-a128-c39df931a036/41003193885.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c52740a4-f96e-4996-aa1d-a058fe54fcdf/how_do_i_fix_polaris_backup_valve.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b5bab4f-5fea-4bcb-ab7b-1cd23fe16841/sintomas_leves_de_covid_en_adultos_mayores.pdfIn PDF document text
- http://nolumemonip.pbworks.com/w/file/fetch/144509268/vefanub.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ed57a43b-0d4d-43ad-8f32-6e24fd884dd9/guwetagit.pdfIn PDF document text
- http://podixarutib.pbworks.com/f/mobile_legends_hack_-_bang_bang_diamonds_cheats.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/471d2dd8-727a-479a-a6f8-4d1805981a38/35248702074.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7afd38a6-1989-4fc3-a0dc-62ceef1d46d8/printable_stress_test_for_college_students.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/40401202-5f72-41c2-b79a-1ceff7cdaf40/what_does_nearest_tenth_of_a_foot_mean.pdfIn PDF document text
- http://pewamez.pbworks.com/f/update_yowhatsapp_new_version_2021.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2be84b48-0716-4556-ab6c-e509cc98ad29/27393779525.pdfIn PDF document text
- http://duziruromeja.pbworks.com/f/zomigufopafazokolavaz.pdfIn PDF document text
- http://negaboxa.pbworks.com/f/types_of_natural_selection_practice_worksheet_answer_key.pdfIn PDF document text
- http://tubekikewabi.pbworks.com/f/collins_cobuild_advanced_dictionary_of_english_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c83acdf3-0607-4188-8143-181a1c387941/echo_gt_225_string_install.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/84d7f011-9103-41f1-865c-342cd045cb00/45395210597.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f978.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF978 | 5064 bytes |
SHA-256: ce4e87072ec415680d24c3d0fe956ac1a729a2b8d5904e6f835495fda1cef7b1 |
|||
font_01_sfnt_off00010aa2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10AA2 | 10400 bytes |
SHA-256: 0bf6a7029c6121ea8285b962340350114b18a721e133fe3d6b1af2ad58c4fd95 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.