MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded URLs, with one prominent URL suggesting a lure for playing chess online. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a large number of links on disposable hosting, and ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a phishing or malicious download attempt. The presence of embedded URLs and the nature of the heuristics point towards a malicious document designed to redirect users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9957
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://seumenha.ru/123?utm_term=play+chess+online++free PDF link annotation
- https://cdn.sqhk.co/powirafawume/igfY585/sasojokomadejitanake.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4463565/normal_600d6b635d93f.pdfIn PDF document text
- http://legko.travel/nbc_sports_washington_on_dish_networkavcn0.pdfIn PDF document text
- http://wegaturagifo.getenjoyment.net/gexedufixop.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4445869/normal_603815f6b7193.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380883/normal_603b7db13b373.pdfIn PDF document text
- http://soferijivav.getenjoyment.net/barnett_4x32_illuminated_crossbow_scope.pdfIn PDF document text
- http://gigezojiradof.scienceontheweb.net/carinosa_dance_literature.pdfIn PDF document text
- https://cdn.sqhk.co/wuvitatutuv/jAhfhfr/25572826518.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4367938/normal_5ff1c7493885b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4481411/normal_5fe33aee1dfaf.pdfIn PDF document text
- https://cdn.sqhk.co/xuteposidobi/gjjbiiO/facebook_app_installer.pdfIn PDF document text
- https://cdn.sqhk.co/nesuxozajek/Whilih6/85759535868.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4460466/normal_5fcdc55a1fe9c.pdfIn PDF document text
- http://mybiol.site/kenmore_elite_smartheat_quiet_pak_9_he4_heating_elementcy8w3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4405945/normal_5fdc0af693ab0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4478716/normal_602bf2de8a34d.pdfIn PDF document text
- http://gepexoliv.medianewsonline.com/vans_old_skool_platform_white_australia.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4488570/normal_601732f53d5a7.pdfIn PDF document text
- http://help-lnstagram-verifycopyrgiht.com/625522647411b00k.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4444377/normal_601c91d0b5fa2.pdfIn PDF document text
- http://terakusinuw.mypressonline.com/edu_science_telescope_50-360_manual.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://80c8fd16-4cf8-4f9f-b52b-d6c956df8f3b.filesusr.com/ugd/1a94e8_b7b7741ac28c4a89b6e54e1bd99d1fb4.pdf?index=trueIn PDF document text
- https://5e73d190-47a4-4ead-99bf-7e9069f06a16.filesusr.com/ugd/55cc32_7672011e15e44328be88f65819b9839d.pdf?index=trueIn PDF document text
- https://4bc473c2-84d0-4913-8b4e-281bf44fba2e.filesusr.com/ugd/a25dbd_674f43cd61a0426e82952659fcebe70f.pdf?index=trueIn PDF document text
- https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_51019467adc349ebaec5efc297f75ee3.pdf?index=trueIn PDF document text
- https://275320ff-96dd-455a-9699-a0fdc58b27a5.filesusr.com/ugd/943725_5acc4081d57a4c1aab01d2288b264ee6.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f983.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF983 | 5072 bytes |
SHA-256: d4b6e228e8f141b824322b2966d8e27b085ce2ae76db422f9e7a1bc6a06ce8df |
|||
font_01_sfnt_off00010ac8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10AC8 | 10584 bytes |
SHA-256: 47f548a5b5de2adc7e1239fca5b764134c29090cfab3d845f39a198c3a00dc6c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.