MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains numerous embedded URLs and a heuristic firing for a 'SEO_DISPOSABLE_LINK_FARM', suggesting it's used to drive traffic or host malicious content. The presence of a 'DOWNLOAD_BUTTON' heuristic further supports a phishing or scam-related attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/award?keyword=b.+ed+cet+books+pdf+free+download PDF link annotation
- http://vpntop.info/vodafone_speed_checkbtycy.pdfIn PDF document text
- http://hackins.site/zf_8hp_transmissioni525p.pdfIn PDF document text
- http://yozi.store/ginarirutiybpan.pdfIn PDF document text
- http://xiguxivevov.sportsontheweb.net/banking_awareness_arihant_download.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4374860/normal_5ff9d0cf181db.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415946/normal_602cdd3f4f44e.pdfIn PDF document text
- http://suvuxivenorum.mypressonline.com/nubuzufemuno.pdfIn PDF document text
- http://pokezokebawi.mygamesonline.org/seth_meyers_net_worth_2018.pdfIn PDF document text
- http://immortal-sho.club/56153783335xvhmi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417032/normal_603bd9570a42d.pdfIn PDF document text
- http://mediaverifiedbadge.com/47776302339ab0b3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4408713/normal_603a283c34d1e.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4369764/normal_5fe3676614eb6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4494889/normal_600eabac68f34.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/e661df90-5f1b-49fa-a528-bb9c7f8b5204/ponugawajopisitowovadu.pdfIn PDF document text
- https://a39ac558-8fe8-437d-9e10-dc9402d6cb9c.filesusr.com/ugd/1ebe14_fbe8d3a71aba4589b95c88b9913c2464.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f5298f4d-e7a3-4911-830d-849755f6e2d1/behringer_inuke_nu6000_for_sale.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5df41d5a-22cd-454b-b38d-f77e7f985c17/48998853420.pdfIn PDF document text
- https://8a6b9437-e7f2-49d7-8c24-351b272aa67a.filesusr.com/ugd/b18e4d_26613169b6b14c06a3271bb2e89742b6.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/db717b0c-c566-4b22-8c9d-17f5f8ce1ebd/how_to_use_a_magellan_gps_315.pdfIn PDF document text
- https://67d298e0-85f4-4ad4-bf36-e1ac857e42fc.filesusr.com/ugd/b6bf5b_40fa4f5064a149be9a7d9a6dfaf5f1be.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000100f5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x100F5 | 5528 bytes |
SHA-256: c2a7e0fbfcef3a7b003ba7b0aa273fabff1e44a361576bfdad2e1251abe95913 |
|||
font_01_sfnt_off000113e6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x113E6 | 11252 bytes |
SHA-256: 7b2b6c9031cb96e5ed6b90d5b7ad540eae5d478427a855c5f569efbd3b198593 |
|||
font_02_sfnt_off00013a66.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13A66 | 16092 bytes |
SHA-256: 9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.