MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded URLs, many pointing to disposable domains and employing UTM parameters, indicative of a phishing or malware distribution campaign. Heuristics like 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'ML_NYX_PDF_MALICIOUS' strongly suggest malicious intent. The presence of external URIs and the ClamAV detection as 'Pdf.Phishing.Trojan' further support this assessment, indicating the document likely serves as a lure to download malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/aws?utm_term=arduino+programming+language+free+download PDF link annotation
- http://powajaxib.medianewsonline.com/a_first_course_in_complex_analysis_with_applications_zill_solutions.pdfIn PDF document text
- https://cdn.sqhk.co/wimiwupo/jzWgjMa/change_colour_pokemon_go.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4424024/normal_6023d0b9b6514.pdfIn PDF document text
- https://cdn.sqhk.co/mowanideju/heaiaib/best_online_air_ticket_booking_app.pdfIn PDF document text
- https://cdn.sqhk.co/zebenane/ChiihAy/ncaa_football_championship_2019_highlights.pdfIn PDF document text
- http://xedeporib.medianewsonline.com/flash_player_chrome_support_ending.pdfIn PDF document text
- https://cdn.sqhk.co/zarejesorufo/geicjei/sevogelixosogelonufop.pdfIn PDF document text
- https://cdn.sqhk.co/vufisolepu/chiSic5/15415248418.pdfIn PDF document text
- https://cdn.sqhk.co/wobimore/gPjeifH/7642255123.pdfIn PDF document text
- http://naliputa.mywebcommunity.org/brave_new_world_revisited_aldous_huxley.pdfIn PDF document text
- http://juvozukatug.66ghz.com/powisawejevaxo.pdfIn PDF document text
- https://cdn.sqhk.co/nijijitolow/boLQjfM/fairy_birthday_party_balloons.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4366057/normal_5ffd5bd3243d0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4502246/normal_5fd3d32ce43cb.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://vulekagezefodek.rf.gd/15328219613.pdfIn PDF document text
- http://fuvarijes.atwebpages.com/61004789344.pdfIn PDF document text
- http://gesulomesazisaj.epizy.com/17394006587.pdfIn PDF document text
- http://sozizowumideni.rf.gd/22825400270.pdfIn PDF document text
- http://joxigonulalotip.rf.gd/how_to_adjust_rainbird_sprinkler_heads_left_stop.pdfIn PDF document text
- http://dezezefisimel.rf.gd/tutorial_corel_draw_x5_lengkap.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011019.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11019 | 3488 bytes |
SHA-256: ab54c18b07373a39059e59f85dd3d83adf6f468d23e171316989542cdab5c2e4 |
|||
font_01_sfnt_off00011c98.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11C98 | 5264 bytes |
SHA-256: bc7cb6540fcde6455481af44731ead78c1f220af3ad4032df64f70a9d8c4d2fe |
|||
font_02_sfnt_off00012e82.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12E82 | 11184 bytes |
SHA-256: 18c4bf89abd67997c11a2ae2f619aa68fb339158d5d9b8b3eef61e359513cd30 |
|||
font_03_sfnt_off0001551c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1551C | 16164 bytes |
SHA-256: 3f70697d8cfd0b9becff5adcad726f9ffedcc5d773cc6f7abbcc82b2f8034994 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.