MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9973
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xajibur.ru/wix?keyword=with+both+hands+challenge+glitch PDF link annotation
- http://lasabobobatir.22web.org/blackberry_mobile_tones.pdfIn PDF document text
- http://fimuvukabiwijad.22web.org/lagu_percaya_aku_gabriella_uyeshare.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://f770b3d7-c897-40e0-9323-5ad0abd91552.filesusr.com/ugd/1fa6dd_e1d446b04cfd4974b0146db06b283fc0.pdf?index=trueIn PDF document text
- https://11ca5eb4-0abe-4d5d-8073-3f36f6088e80.filesusr.com/ugd/8b62d8_c7d5de62ece943798dfab0fda7e9e410.pdf?index=trueIn PDF document text
- https://09235f31-469a-4613-94fc-36d04c1f642a.filesusr.com/ugd/8b6407_e921944079cc42368228112e133ae27f.pdf?index=trueIn PDF document text
- https://adea4596-07c4-4c45-ba97-107779ed6dc5.filesusr.com/ugd/5bd9e2_dc026c415acd437cbc0f717f7d8aa5f4.pdf?index=trueIn PDF document text
- https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_6960514483424c20936f6c2ab49f2ab1.pdf?index=trueIn PDF document text
- https://e22e8d81-f41f-4d51-abb1-39b19d2d32bb.filesusr.com/ugd/96bf9d_832a66c2f1024bd88b514245f93859c3.pdf?index=trueIn PDF document text
- https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_42e03fa541004ba7b3e8ab4a6aa0c5a7.pdf?index=trueIn PDF document text
- https://cae2aa39-5014-47ec-b549-0fed73f36d02.filesusr.com/ugd/c8683e_cf00e5a831e04d6383564ce94ba4e493.pdf?index=trueIn PDF document text
- https://f7f2eb1f-4ce6-40bf-b337-6bcc2c9c1a95.filesusr.com/ugd/dc6899_f4d2115606ea4dfc92e1bdebb84a5bf8.pdf?index=trueIn PDF document text
- https://931f52e6-cb68-4a93-8e02-54808d33f8b6.filesusr.com/ugd/6290de_76610f89d7f84687a4cfbdaaee948c72.pdf?index=trueIn PDF document text
- https://1a6defe7-92a0-4357-8a70-d3bce85d30c9.filesusr.com/ugd/385065_4a031bf14abe4a369ab09432b568b1d8.pdf?index=trueIn PDF document text
- https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_86bd3eb6818e41f2a6a3e83908dbf771.pdf?index=trueIn PDF document text
- http://lebozid.epizy.com/didosirife.pdfIn PDF document text
- https://e18e6c05-101e-4f41-9c4d-f518aea09dbb.filesusr.com/ugd/7972b3_3fb8b2daefd649c7a69a96c5ecd86896.pdf?index=trueIn PDF document text
- http://pojetol.epizy.com/anbulla_appa_audio_song_free.pdfIn PDF document text
- https://dec4a425-646e-450a-80ca-a73a75d058ad.filesusr.com/ugd/ba3095_75c9a7887f7948cf97ac0a25fa4bebb2.pdf?index=trueIn PDF document text
- https://a04ad255-06d6-4b17-97e7-91173d300295.filesusr.com/ugd/6864df_489919934d184594b90b66307a7257e7.pdf?index=trueIn PDF document text
- https://9539e3d7-93ad-434a-85ac-22bd9bdb82bb.filesusr.com/ugd/df7b34_4912cabebfb1477aa1f530f481594f98.pdf?index=trueIn PDF document text
- https://ddc7b23b-31e5-4b5c-aaad-d3b7cef26861.filesusr.com/ugd/e506b8_094f6a64e6f645f2958a5ca421921345.pdf?index=trueIn PDF document text
- https://2178e3ec-2e0a-46e0-af35-d8a6fdfeb21a.filesusr.com/ugd/c411cf_27c60ec8ccba45fa87649645e1328186.pdf?index=trueIn PDF document text
- https://cf4de027-7369-46c2-bf93-d69cabef2b5e.filesusr.com/ugd/868b90_1236ffb87b524a2a9e8b47079c26c7b1.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001194d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1194D | 5684 bytes |
SHA-256: 3025f3e755df129d25f2bd0a1e17932f3773558076bcc32c582fcfe40cddb3e4 |
|||
font_01_sfnt_off00012d22.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12D22 | 5260 bytes |
SHA-256: 427cacb274f83f940709ed4a38d522fb8596029a16bdc617c2d4968fbd437b20 |
|||
font_02_sfnt_off00013f02.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13F02 | 1800 bytes |
SHA-256: e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d |
|||
font_03_sfnt_off00014790.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14790 | 12352 bytes |
SHA-256: 26e12a9f5705e0bb9a40f8cb44905b79c7c1ae8d0b9b8b6c7e934736c2e802a2 |
|||
font_04_sfnt_off00017044.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17044 | 16204 bytes |
SHA-256: a95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.