MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was identified as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. The presence of a URL with a 'utm_term' parameter further supports the idea of traffic redirection or phishing. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/strik?utm_term=how+much+does+enhanced+driver%2527s+license+cost PDF link annotation
- http://giwapozolaleg.mypressonline.com/55946095885.pdfIn PDF document text
- http://doxedisipi.scienceontheweb.net/tipos_de_aprendizagem_organizacional.pdfIn PDF document text
- http://refukifis.22web.org/83805734738.pdfIn PDF document text
- http://warajuvevuv.medianewsonline.com/mathematics_book_for_gate.pdfIn PDF document text
- http://nemosixumeki.mypressonline.com/8615268524.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/cfd6a9b6-92f6-4ab4-8f87-82561396a3b4/resistance_band_workouts_uk.pdfIn PDF document text
- http://genolewedusu.myartsonline.com/ankylosing_spondylitis_article.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8e8acb6e-24e5-4038-84e7-4f32f2285838/nubivulasusisesuduri.pdfIn PDF document text
- https://s3.amazonaws.com/lixasifasi/guidelines_for_blood_transfusion_administration.pdfIn PDF document text
- http://sidukumu.epizy.com/59532288822.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bd9c4c5c-78f7-4ce5-96cf-d2c3ed4b1d3f/how_to_get_extra_money_to_pay_off_debt.pdfIn PDF document text
- https://s3.amazonaws.com/jalasilunaz/wifi_wachtwoord_achterhalen_android_app.pdfIn PDF document text
- https://17a6c5a8-0587-4adf-8126-5b439e15a62f.filesusr.com/ugd/54bec1_e2f06eaf949d4e3b9415c76edb2b9044.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/17fbfeb1-f728-4bed-a74a-4d134092e6cc/23348956718.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5f6e1e3b-3069-43f7-84b8-74f1b5635064/does_uppababy_mesa_ever_go_on_sale.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f3af0ee1-9179-4256-b612-01a8e8869372/xagepiritutenigujepukos.pdfIn PDF document text
- https://s3.amazonaws.com/gurowozenupifi/rip_curl_gps_watch_instructions.pdfIn PDF document text
- https://s3.amazonaws.com/kibavutibeved/tinabilisulodut.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4f760a68-38c0-42e5-a5bc-c7bc2ec73b63/the_secret_life_of_pets_2_daisy_plush.pdfIn macro / runtime command snippet
- https://uploads.strikinglycdn.com/files/f9abb0b2-7ba6-489d-a1c6-159d67ff2f1c/how_many_covid_cases_in_wheeling_wv.pdfIn PDF document text
- https://16e729f2-8c5c-4787-b670-14aeba6c5e03.filesusr.com/ugd/ac55e2_1a8241d69cac404aae490b7962410fd7.pdf?index=trueIn PDF document text
- https://c33c3ce4-fa2f-4f19-9477-7a801b41b29e.filesusr.com/ugd/ebbcbd_a0fddb6ddb6249b5bcd9b754d6062ccd.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/ca153043-adc6-48ae-87bf-30425c0832e3/introduction_to_thermal_and_fluids_engineering_solutions.pdfIn PDF document text
- https://s3.amazonaws.com/nitidadufetenu/ar_15_handguard_accessories.pdfIn PDF document text
- https://8ed7ad90-0d0e-491f-9c15-1f6cd5a61d18.filesusr.com/ugd/f1a804_d01e79916dea4c2a96717d038ec9dad7.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- https://s3.amazonaws.com/kibIn macro / runtime command snippet
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ed33.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xED33 | 5324 bytes |
SHA-256: a766e44c9baef58769a526006f466b97db6c9040bc548c8e865a424193ae691d |
|||
font_01_sfnt_off0000ff3b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFF3B | 10948 bytes |
SHA-256: 49e58399800d2d6a8a3a3fdf7f9126ad913165db926ad71a49d77a15dcb78289 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.