MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or redirection scheme. The document body, though heavily obfuscated, appears to contain text related to performance reviews, likely serving as a lure to encourage users to click on the embedded malicious URLs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://resalured.ru/123?utm_term=performance+review+career+development+examples PDF link annotation
- https://zumukematil.weebly.com/uploads/1/3/4/7/134716366/juxawikavur.pdfIn PDF document text
- https://tuxuboninivufos.weebly.com/uploads/1/3/4/4/134478209/tadavakoxetexupure.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464878/normal_6052c98a2e69c.pdfIn PDF document text
- https://disadaniti.weebly.com/uploads/1/3/4/4/134463451/rufatevuwitimo.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4462681/normal_601014eac2df9.pdfIn PDF document text
- https://fujulisu.weebly.com/uploads/1/3/4/0/134042697/meleso.pdfIn PDF document text
- https://dawunatebebi.weebly.com/uploads/1/3/1/4/131408224/mimitew.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366339/normal_601d5b1c037b1.pdfIn PDF document text
- https://lulipexo.weebly.com/uploads/1/3/5/2/135294167/569805c07dd01.pdfIn PDF document text
- https://fanivimijebi.weebly.com/uploads/1/3/4/5/134594820/702d1a256aa4332.pdfIn PDF document text
- https://nusuvonofa.weebly.com/uploads/1/3/1/8/131872273/283cdbeac8b0626.pdfIn PDF document text
- https://lukexurilewudon.weebly.com/uploads/1/3/4/3/134335891/zemamap.pdfIn PDF document text
- https://gekirexuwiri.weebly.com/uploads/1/3/1/4/131452917/6e91b.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/99af6cf3-7a6e-4cb4-a839-94c875c85bc1/will_you_come_and_follow_me_elw_798.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2acd6349-995b-4079-a918-96de650d946a/how_to_adjust_pfister_shower_temperature.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/65e173b5-0b67-420e-9cf9-02c6719f6dfb/34255618022.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dd04aae8-bada-487d-922a-811c4c027008/sword_art_online_game_app_for_android.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/05a388ab-693f-4284-94a7-c1fc15864ffa/how_to_operate_the_bosch_800_series_dishwasher.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6a7ebd11-c9c3-4e52-9f64-773093d3a00e/list_of_linkers_and_connectors_in_english.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d5cf2dfd-24f8-4838-86c2-5c5d46be09bd/69862391418.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/44c624f1-3bbb-4bfd-ac02-5075c13b851f/how_to_run_python_code_in_sublime_text_mac.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fca7a726-97e1-4d7d-9d2d-56a4e79f1bb6/how_to_lie_with_statistics_summary.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001080d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1080D | 5524 bytes |
SHA-256: fb8d56c88aa6505d82caf1ccaef894cea5a7d996bf7cd382fc72573f0114ce4c |
|||
font_01_sfnt_off00011ad2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11AD2 | 10744 bytes |
SHA-256: 72ba65d89fdc4558555322bfb7828549df4eeb45007349bc87a73349774c246a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.