MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF document was flagged by a machine learning classifier and ClamAV as malicious. It contains numerous embedded URLs, suggesting it may be part of a link farm or phishing campaign. Notably, it includes a 'Clipboard command execution lure,' instructing the user to copy and paste content into a shell, which is a common technique for executing malicious commands or downloading further payloads.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/wix?keyword=air+traffic+control+career+prep+pdf+free+download PDF link annotation
- http://profapp.pro/jupoxipujuwurop98l8.pdfIn PDF document text
- http://natnat.fun/cashvertising_freecnbc4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4495526/normal_60125aed7b59b.pdfIn PDF document text
- http://kyponnik.online/11088286173ps128.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464083/normal_600b5ae4a26ee.pdfIn PDF document text
- https://zunepijubu.weebly.com/uploads/1/3/3/9/133986973/3823012.pdfIn PDF document text
- https://tazabavirivagi.weebly.com/uploads/1/3/0/8/130814173/3172009.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485714/normal_603f1ed3ce8ac.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4385216/normal_5ff782e4ce8e8.pdfIn PDF document text
- http://dvestideyli.xyz/pexetolikh33s3.pdfIn PDF document text
- https://gurosutu.weebly.com/uploads/1/3/2/3/132303194/05dc74a6.pdfIn PDF document text
- http://femesugubu.iblogger.org/modern_world_history_textbook_online_10th_grade.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489428/normal_602426b345c50.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://eee7329a-c4d5-4508-a8fd-a8ba515f7d9f.filesusr.com/ugd/5ed802_47c60a087f714e17b13cc3016015ec95.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c63a7e2b-7fe8-43b4-8a35-6987413a2efc/87433438224.pdfIn PDF document text
- http://kopivenegi.epizy.com/22935609514.pdfIn PDF document text
- http://viwumizebawekez.epizy.com/frustration_aggression_theory_dollard.pdfIn PDF document text
- https://7835c217-6b95-46a1-915a-76cdebae3fe0.filesusr.com/ugd/debfb4_40a0e8a72cba452aaaabd53047e30688.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/4b5d573a-333a-4717-8a56-bb4002e34c41/vasesugujelivepuwuke.pdfIn PDF document text
- http://sifepati.epizy.com/tozojixapu.pdfIn PDF document text
- http://nedepufeto.epizy.com/app_to_soundcloud_songs_iphone.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28293e0d-5db5-41f7-8559-b1ddc8efb836/jumigeminebuwowinevon.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/86572bbe-9b90-4461-972f-3ee81ada7b02/gorulowevuxi.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013be3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13BE3 | 5052 bytes |
SHA-256: 5c18434eeda7d312dd00d763d364947a06bf72b0da275bc315a8efbd18014448 |
|||
font_01_sfnt_off00014d37.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14D37 | 12568 bytes |
SHA-256: a7fc1a9e96bc51513c8d67fea42604d1a1664c5ac7a12a536ac1f252922bfbeb |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.