MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It functions as a link farm, containing numerous external links, with a notable malicious URL pointing to 'jacksth.ru'. The document's structure and embedded links suggest an attempt to manipulate search engine results or lure users to malicious sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/wix?keyword=westell+versalink+327w+wireless+setup PDF link annotation
- https://cdn-cms.f-static.net/uploads/4452169/normal_5fe8394dddc39.pdfIn PDF document text
- https://jazujopu.weebly.com/uploads/1/3/0/8/130873842/musugek-pones-rokibixubipuros.pdfIn PDF document text
- https://nipetetoxijekuj.weebly.com/uploads/1/3/4/7/134718304/3378b15d424cb82.pdfIn PDF document text
- https://nonaxoboru.weebly.com/uploads/1/3/4/4/134467623/pevonanuzab-jigiwamulu.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4472488/normal_5fc59244a8c64.pdfIn PDF document text
- https://pufopobumosuv.weebly.com/uploads/1/3/0/7/130776602/zimudela.pdfIn PDF document text
- https://lilonukile.weebly.com/uploads/1/3/4/7/134767916/9229422.pdfIn PDF document text
- https://gobewuguwug.weebly.com/uploads/1/3/6/0/136056794/30483f94581caf6.pdfIn PDF document text
- https://wiriresakuboso.weebly.com/uploads/1/3/4/2/134236055/gipoge.pdfIn PDF document text
- https://zulujiporanaru.weebly.com/uploads/1/3/4/5/134590758/tunisudefa.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_dcd9f4f892f949559f6e964de8be3377.pdf?index=trueIn PDF document text
- https://a9864912-ad24-422b-99f3-2d90f7703507.filesusr.com/ugd/d6af85_82d4e83b3cd14407b9c283f2e49301c1.pdf?index=trueIn PDF document text
- https://4f870d4f-701c-4ec6-bbb3-7277acc5528a.filesusr.com/ugd/fdcb8d_fe98b4d1237a472e9655af27976c3e1e.pdf?index=trueIn PDF document text
- https://f6180879-d31b-499c-8e42-fead7842c491.filesusr.com/ugd/007227_60fb073384d34623ad2e42c1e12363a7.pdf?index=trueIn PDF document text
- https://883cd1dc-02d0-4059-8fa2-99201f92b631.filesusr.com/ugd/6166c9_d6eb8c9cc2ab474296c0dab2cdf2a84c.pdf?index=trueIn PDF document text
- https://e39bfc17-a898-4016-ac91-fc9303c112df.filesusr.com/ugd/b5068a_079221f65f9642c8a0430c73a313ab76.pdf?index=trueIn PDF document text
- https://515a9975-19bb-4041-9922-7b1a45dc692c.filesusr.com/ugd/f34823_67838b7501294410a4ed2d23e355af39.pdf?index=trueIn PDF document text
- https://ebcfae26-b4e4-4f1a-a5b2-c5bdbddc1bdf.filesusr.com/ugd/259f90_ef040d454c424838a01dc354443c5cfd.pdf?index=trueIn PDF document text
- https://6eed613e-cbae-405e-b458-9655ef9033f8.filesusr.com/ugd/e4f6f0_398ba4332f6546e5a0965bf1adb53b17.pdf?index=trueIn PDF document text
- https://cb70cc59-2297-49c3-b7e2-2ac7e26e28d4.filesusr.com/ugd/4479ed_cc25419389194f4abb2b53bb81ad49f9.pdf?index=trueIn PDF document text
- https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_9bbc31c021864a75a3420080e0cf5cc1.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eaca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEACA | 5416 bytes |
SHA-256: 3a34d6f1f741e4000a9efdb843e9be7c370c6700ba76bd8161e145ad61a2a901 |
|||
font_01_sfnt_off0000fd6e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD6E | 11136 bytes |
SHA-256: de20ce59243b3d57e1a998cbda435d75fb99ec217de252e40d3683526d522343 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.