MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, many pointing to disposable domains, which is characteristic of a link farm used for SEO manipulation or phishing. The primary malicious URL identified is https://xajibur.ru/strik?utm_term=java+interview+questions+for+2+years+experience+-+quora, which is flagged as unknown reputation. ClamAV detected this file as Pdf.Phishing.Trojan, and an ML classifier also flagged it as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xajibur.ru/strik?utm_term=java+interview+questions+for+2+years+experience+-+quora PDF link annotation
- https://javeleguf.weebly.com/uploads/1/3/0/8/130873961/5900220.pdfIn PDF document text
- https://lelamibi.weebly.com/uploads/1/3/0/7/130738841/petonenexemilupevel.pdfIn PDF document text
- https://balalowomave.weebly.com/uploads/1/3/0/7/130738893/ca910119ad5.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/0e0a1c5d-c0fe-4308-be43-518f1509ef80/xunogat.pdfIn PDF document text
- https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_64a6ef42898e4edabeff0eff5c5a1b32.pdf?index=trueIn PDF document text
- https://ce419959-236d-4487-89d7-67f356bda573.filesusr.com/ugd/147b51_5f065df213e846dfbfc2e7259a62f9bd.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6080194b-f26b-4aa5-935e-7876717b74dd/does_mp3_players_have_bluetooth.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/09afb168-3b42-4bfe-adb8-511a245aeda0/bloodlines_richelle_mead_tv_series.pdfIn PDF document text
- https://0e67983c-e844-40c9-b604-97311ec94efe.filesusr.com/ugd/6e13d9_22748dc910f14e88af1d74932e099a03.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/toliwudalamem/possessive_pronouns_games_for_4th_grade.pdfIn PDF document text
- https://c827806f-f9bf-4fd3-a4ce-e487c020fa79.filesusr.com/ugd/6fd45c_ffb21c093d04481a87cec7252af5bbd5.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c77c01c7-2042-4c7c-af9d-bf476e9c5178/70301280324.pdfIn PDF document text
- https://s3.amazonaws.com/sowewazulejewi/bedingte_formatierung_excel_wenn_0_dann_farbe.pdfIn PDF document text
- https://3176e400-c268-4dc0-8d69-08eae86937f8.filesusr.com/ugd/ea2f88_1f46a72acd3744baaedf606562be9db6.pdf?index=trueIn PDF document text
- https://dae57379-2785-4108-a223-4562ecbfc22e.filesusr.com/ugd/87ad98_5cf91ea127ee4e26a58bf709896708dd.pdf?index=trueIn PDF document text
- https://95a57b4d-a24c-4412-bd87-88f4f885d252.filesusr.com/ugd/011e4b_22a6c796551b4f0db6e9f6e0084b87bb.pdf?index=trueIn PDF document text
- http://senoneba.rf.gd/16860133488.pdfIn PDF document text
- https://65de77fc-0341-4fd2-89b2-cd6b005a91de.filesusr.com/ugd/cf79db_3d1fa8b40a1345b4be6a2387e744c00f.pdf?index=trueIn PDF document text
- https://44034db3-6cdd-4729-adf3-7ccd6afcf354.filesusr.com/ugd/9fe9cc_786caf58cae84292aeb028bbb523d194.pdf?index=trueIn PDF document text
- http://fodiragotisaka.epizy.com/kepebonig.pdfIn PDF document text
- https://s3.amazonaws.com/tufujifinobiro/atkins_phase_1_foods.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eba5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEBA5 | 5576 bytes |
SHA-256: 5c4ed68c57c5e23b2508008885b7ee7db934e29bc1939606c405095b4e7f49c9 |
|||
font_01_sfnt_off0000fee6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFEE6 | 11292 bytes |
SHA-256: d4afa381094fca375fcec3ea7faf2e59d707044cf578df34c4e5283bcd4c6e9b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.