MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning model indicated a high probability of maliciousness. It contains numerous embedded URLs, many pointing to unknown or potentially malicious domains, suggesting a phishing or link-farming attempt. The PDF's structure and embedded content, despite being heavily obfuscated, indicate an attempt to redirect users to external sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/wix?keyword=jezus+z+nazaretu+film PDF link annotation
- http://freud.icu/50318403070bs1yr.pdfIn PDF document text
- https://cdn.sqhk.co/remokuvupen/eIzjbLQ/65632515182.pdfIn PDF document text
- https://cdn.sqhk.co/rolileduvof/hbKAKgd/free_pottery_classes_los_angeles.pdfIn PDF document text
- http://samyog.ru/wabibovakodixim920jx.pdfIn PDF document text
- https://cdn.sqhk.co/jogowijalaro/sgfgRgg/xmeye_connection_timeout.pdfIn PDF document text
- https://cdn.sqhk.co/juvexafi/Qggghif/57230866604.pdfIn PDF document text
- http://mydenverneighborhoods.com/batman_the_killing_joke_comic_cbrhpitt.pdfIn PDF document text
- http://tryici.xyz/new_yorker_magazine_recent_cartoon_submissionsfsw7h.pdfIn PDF document text
- http://shoop-fr.ru/bipurekumaxafitisemuvapecfh4v.pdfIn PDF document text
- http://nosinoski.shop/sofewumezagadelipijugs08g.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/108181b1-208c-4e8d-b20c-38b66607c3ad/shatter_me_age_rating_common_sense_media.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/69660dd1-91b9-4364-a73c-1e9c26b4fff5/gafuwimixipaxejinowove.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fb373330-7012-4a0b-b220-3cf3ada3a9db/how_to_use_iron_on_vinyl_with_cricut_expression.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/08fd07ee-57ee-4c9a-8605-8e841ceb8b47/bosch_800_series_dishwasher_with_crystaldry_reviews.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4fa17fa3-4a62-49cb-867b-449ed59ccbd5/65079383287.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d803bec2-3f0c-47dc-9434-cf9ed11f5519/rajulabiduwolonuxe.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a6f6e7e3-92af-445c-8fa8-0fbb0b511040/8512593698.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8a40ffb3-8b76-4589-b732-0ac265ff6e58/pidijoto.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/be04c519-be9c-4636-a927-aa20c70d6e19/langmans_medical_embryology_14th_edition_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/31fd2033-14e8-4a57-9834-4121d361d078/how_to_use_singer_free_motion_foot.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4552e617-6dc4-42f2-b3d8-e2d2d44962ed/how_to_run_a_cnc_machine.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e8d7c007-8be6-42af-b037-91b0a533871a/53807981078.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ece7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECE7 | 4952 bytes |
SHA-256: 4021e3b581cc39a20d47ef538012e82b42b10485e8863ff14e1b3512ea0d8e6f |
|||
font_01_sfnt_off0000fdb1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFDB1 | 12536 bytes |
SHA-256: 506ab0021f8eaec7898996b5c5e075440b1dbf9a9c698be01fa1d66b33f763bd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.