MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, specifically as a phishing or link farm document. It contains numerous external links, with a critical heuristic identifying it as a link farm on disposable hosting, likely intended to redirect users to malicious sites. The ML classifier's high score and ClamAV detection further support its malicious nature.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bologen.ru/strik?utm_term=washington+dc+area+population+growth PDF link annotation
- http://cmb-societe.com/25931932431xubg2.pdfIn PDF document text
- https://cdn.sqhk.co/gisepavuv/ugfiRun/85534075093.pdfIn PDF document text
- https://cdn.sqhk.co/kitujesijak/jcx8igT/league_of_legends_wild_rift_beta_apk.pdfIn PDF document text
- http://wujaxeniju.22web.org/buporugo.pdfIn PDF document text
- http://premial.su/el_libro_de_los_muertos_pelcula_online_latinopcwdl.pdfIn PDF document text
- https://cdn.sqhk.co/vokalater/hhwLmjd/begidusevinugigutivironi.pdfIn PDF document text
- http://vashe-zdorovie.xyz/rental_agreement_letter_between_family_membersqbt20.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/pojikovewijeja/broadcast_verb_past_form.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1da35003-272f-4bce-8d28-968efaf7faa1/fekatologadavuxajabiwok.pdfIn PDF document text
- http://mafefelanepule.epizy.com/65253493928.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fed15539-d9bf-48a8-99f7-bf6c289ad827/xedefonazuxereguwis.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/06bb8089-b2a5-4b2f-8c16-7151373edacd/52115082725.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3ca34f64-3883-47a1-be94-425411bca77a/sunbeam_sgb8901_manual.pdfIn PDF document text
- https://s3.amazonaws.com/posufij/norme_afnor_nf_x60_010.pdfIn PDF document text
- https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_94a57884876045e88c73d7b1e8110405.pdf?index=trueIn PDF document text
- https://56f9ebfc-1b58-4ccd-90b9-24793863e956.filesusr.com/ugd/0f3536_ee53bc0c7fed4b7686cb3ab0e20326f2.pdf?index=trueIn PDF document text
- https://6d8b2927-5c4d-40df-b593-c6bd35e19528.filesusr.com/ugd/1adac8_9542efed08004838921b591d3daf4486.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/380ecfd7-b149-4f45-be48-3dff480a2f17/kaxogorogafisuwov.pdfIn PDF document text
- https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_0ac156d630ba4a40be3420de25db32cc.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/ravuxudibure/91953952603.pdfIn PDF document text
- https://s3.amazonaws.com/jenagubadopi/wendler_531_accessory_exercises.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fa1b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA1B | 5440 bytes |
SHA-256: ec41daa07879ad8f4ecf4903a61c03c3f12d1ab5bbb0d1dfbed9a598c5d0da9f |
|||
font_01_sfnt_off00010cac.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10CAC | 11092 bytes |
SHA-256: 46efd2d6acf6f420a4c8df52f65d07e391e38a58a60118d90ab11830805f5339 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.