MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, identified as a link farm, suggesting a malicious intent to redirect users. ClamAV detected this file as 'Pdf.Phishing.Trojan', and ML classifiers also flagged it as malicious. The embedded URLs, such as 'https://druttle.ru/wix?keyword=kidde+kn-copp-3-rc+manual', are likely used to host phishing content or further malware. No scripts were extracted, but the PDF structure itself is indicative of malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/wix?keyword=kidde+kn-copp-3-rc+manual
- https://static.s123-cdn-static.com/uploads/4404122/normal_5fcf3e3c2eac5.pdf
- https://static.s123-cdn-static.com/uploads/4426424/normal_5ff24fecbef2f.pdf
- http://ledimpress.biz/nozobofusod6vhq2.pdf
- http://brumbum6.xyz/wuzujuzazogezupomoh1qlx.pdf
- https://static.s123-cdn-static.com/uploads/4427094/normal_6000260ca6a87.pdf
- https://static.s123-cdn-static.com/uploads/4462976/normal_5fce87d7e2753.pdf
- https://pixamowogiru.weebly.com/uploads/1/3/4/5/134590731/tinumaw-xezoroposap-rutizuxuxux-binumux.pdf
- http://b4shop.icu/zoxokoruvelidoruxilipowu2t.pdf
- https://pebepatesova.weebly.com/uploads/1/3/4/4/134447190/fulexa.pdf
- http://nat-fru.space/anaconda_python_download_mac51e0v.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://nijetazum.epizy.com/anatomy_of_human_body_books.pdf
- https://s3.amazonaws.com/faxaxos/69784172850.pdf
- http://zexubadisaki.rf.gd/68738961937.pdf
- http://muwojes.epizy.com/eragon_game_free_download_for_pc_full_version.pdf
- https://s3.amazonaws.com/vebenok/bendalong_surf_report.pdf
- http://meziwadosemuge.epizy.com/how_to_reprogram_clicker_garage_door_opener_keypad.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010c8e.bin89cf470083bbe9d292cd00be01e781f34a0b750faaf1f9a1ee390d6d3d9e1033 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C8E | 5272 bytes |
font_01_sfnt_off00011e6a.bin68e24310d34a5d88d8e0550c6ca055c02903c09313f4c62f905d8eeb6644cb11 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11E6A | 10440 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.