MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, with one pointing to 'jacksth.ru', suggesting a phishing or scam campaign. The PDF's structure and embedded links are indicative of a link farm used to distribute malicious content or redirect users to phishing sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=%25D1%2581%25D0%25BA%25D0%25B0%25D1%2587%25D0%25B0%25D1%2582%25D1%258C+%25D0%25B4%25D1%2580%25D0%25B0%25D0%25B9%25D0%25B2%25D0%25B5%25D1%2580%25D0%25B0+%25D0%25B4%25D0%25BB%25D1%258F+%25D1%2580%25D1%2583%25D0%25BB%25D1%258F+defender+forsage+drift+gt PDF link annotation
- https://static.s123-cdn-static.com/uploads/4481173/normal_5fc79950f0993.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4423780/normal_5feb35b2cb132.pdfIn PDF document text
- https://tobejisexin.weebly.com/uploads/1/3/1/4/131454505/voruxem_gipefaga_tisup_xiposis.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454558/normal_602221c90b6b6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470220/normal_604fb09e683f1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446380/normal_6022c6b30a482.pdfIn PDF document text
- https://meverofukibax.weebly.com/uploads/1/3/4/6/134620555/vulojale-gifulopuna-tanotomaviguj.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4483349/normal_60266977ea510.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4466666/normal_602d2fd29325c.pdfIn PDF document text
- https://xemibunadagom.weebly.com/uploads/1/3/4/6/134639404/6ce04ca1de4bb.pdfIn PDF document text
- https://dedejabo.weebly.com/uploads/1/3/4/8/134875177/3303061.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4495860/normal_5ffebdab71edd.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366003/normal_5fd2825c04dae.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454682/normal_601db1767cd99.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485942/normal_60581c698310e.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/43b2441a-7fbf-4ddd-9c4c-c8c5d60a65fc/what_are_the_three_inventory_cost_flow_assumptions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c7aea7bc-dc08-4830-8df6-4bed01fe98f0/evenflo_car_seat_safemax_installation.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d1890bee-171e-4efb-96e5-07dfdb14c9bc/what_time_does_disney_world_close_tonight.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b328313-b0d7-49cd-addb-8da3f793ccf0/why_did_the_confederacy_think_they_could_win.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/686eafff-5b33-4a12-980d-1cb0dcaa80c7/13637638618.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa6984cd-5c8e-487b-a394-73f90e3d5137/tewixixitowasavoworet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5cde9912-0256-4cc3-ba94-1812f86b4ca5/which_electron_configuration_represents_a_violation_of_the_pauli_exclusion_principle_why.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/87ba42c3-2a7a-403b-875d-53fa150cb42e/13_reasons_why_theme_song_piano.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2480cc68-9c36-489e-986c-53dd2b1989a1/mansions_of_madness_app_go_back.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d7299156-cf7f-44ff-b3b2-6bdfe39e2671/vemorun.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f093.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF093 | 6468 bytes |
SHA-256: 82ad4dc7c185602cd95954fcbf0fb406b3c2c6393681f163e41fd84a3a7737a2 |
|||
font_01_sfnt_off0001059d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1059D | 15332 bytes |
SHA-256: fbff84392b9e37b92a82a2afa04480fb8c46c0b11222903eecb5751ff38769d4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.