MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was identified as malicious by ML classification and ClamAV, flagging it as a phishing trojan. It contains a large number of external links, forming a link farm, with one URL identified as a phishing attempt. The document body is heavily obfuscated and unreadable, suggesting it is designed to obscure its malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dugedepap.ru/strik?utm_term=mitchell+auto+repair+login PDF link annotation
- https://cdn-cms.f-static.net/uploads/4444386/normal_602406ce98270.pdfIn PDF document text
- https://cdn.sqhk.co/taxodisilif/icfjhif/tmnt_portal_power_apk_obb.pdfIn PDF document text
- https://cdn.sqhk.co/zidenesek/Shegglm/dfx_music_player_eq_pro_apk.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4475376/normal_603e8447a3b21.pdfIn PDF document text
- http://fibipowokogo.sportsontheweb.net/bantu_education_act_1953_interview.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459794/normal_5fe79f917f639.pdfIn PDF document text
- https://cdn.sqhk.co/penuvipaw/ivnjanS/pemafew.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://29159626-56e2-4eb2-a8c1-eb081f451e44.filesusr.com/ugd/a58502_0778a043f85b458d98f0bd6d39659740.pdf?index=trueIn PDF document text
- https://6997f972-013f-4c6f-ac95-4179ba17a557.filesusr.com/ugd/549e1a_9f1c3266d0a84b63bac6755fa83b7649.pdf?index=trueIn PDF document text
- http://lugimeviguv.myartsonline.com/convert_to_word_document_that_can_be_edited.pdfIn PDF document text
- https://09d7e2b9-79a3-4876-9e00-73a1ba4263a4.filesusr.com/ugd/92fcd7_c536470e7a634e5bb3bd6570a2def095.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/dc453e4f-ff54-4d29-bea8-b105207c463e/garmin_gpsmap_64s_price_in_malaysia.pdfIn PDF document text
- http://vumamuv.myartsonline.com/airmen_mock_test.pdfIn PDF document text
- https://a1d1c4ac-cf1d-4c58-861c-45d1188f4b60.filesusr.com/ugd/052f3a_dd986b2971f24440b0da06d736465127.pdf?index=trueIn PDF document text
- https://f1ddcea9-c323-452c-a4d3-aaefec61e50a.filesusr.com/ugd/defd8a_b0dad4d92fda4d28a145fedc4f6141da.pdf?index=trueIn PDF document text
- https://0eaabcdb-938a-45a6-85a3-1a7d796bbcdd.filesusr.com/ugd/8d6d25_ebd84b1d9fa54073977a840b2e5d5075.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c40185dc-fef1-4dd5-b62b-2db55c24a54b/idioms_dictionary_with_sentences_free_download.pdfIn PDF document text
- https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_27b1a0c908b14d5fae78e080be678075.pdf?index=trueIn PDF document text
- https://8c77b9b7-c39b-43d6-9406-6086bd2c0f93.filesusr.com/ugd/ee6770_620934efbe0b4144a5d607ae9bb48c83.pdf?index=trueIn PDF document text
- https://c1908cc8-b41e-4b5b-ab1c-53d28a7f2745.filesusr.com/ugd/913720_554ec1b7a36c44bd96cecbe9e10a2ba7.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e4f3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE4F3 | 5020 bytes |
SHA-256: 2b728afb3e4de59d26244f00c73677b4eefc875d683b5ebede03ad2683560bf8 |
|||
font_01_sfnt_off0000f60e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF60E | 10872 bytes |
SHA-256: f1bcb05fae543f43368528f1bcae04012e18ae6bf35d69c3fafa92f6ed4e36e6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.