MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses a LOLBin command-execution lure. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dugedepap.ru/strik?utm_term=final+fantasy+x-2+ps2+walkthrough PDF link annotation
- http://onlyforyou.space/sheet_extrusion_die_design0flsp.pdfIn PDF document text
- http://idealica-co.site/marantz_nr1606_hdrf3it4.pdfIn PDF document text
- http://hq-cleartv.info/9085050553250ihg.pdfIn PDF document text
- http://creditscorehelp.info/grade_3_afrikaans_reading_books7z19d.pdfIn PDF document text
- http://lighttravel-ng.com/41142230254dabka.pdfIn PDF document text
- http://idealica-italy.site/fertile_lands_papyrus_answereo5o7.pdfIn PDF document text
- http://mybatut.store/28308898631eypex.pdfIn PDF document text
- http://ijmalan.xyz/bojipatedigisifepiepw4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366666/normal_604d8d6089db0.pdfIn PDF document text
- http://fortuneo.biz/learn_powershell_in_a_month_of_lunches_2020nwwvp.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476285/normal_5ff16d56de8c5.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4420745/normal_5fed10be4563a.pdfIn macro / runtime command snippet
- https://cdn-cms.f-static.net/uploads/4390680/normal_5fe632322c492.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/29fbcaf0-626f-4c65-a19c-28c4dc579cb7/dulerene.pdfIn PDF document text
- http://renepipelusibav.rf.gd/ferret_diet_guide.pdfIn PDF document text
- http://fibotemirazopo.rf.gd/jaina_build_guide_hots.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/33e9eb1e-38d0-4b83-b01c-add959fabab0/91350126065.pdfIn PDF document text
- https://c245485c-e1a4-4c5a-9a2a-c465a95e53c8.filesusr.com/ugd/25f824_bb320e13eb3347a290291abf412ce8a6.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6f088c08-6c6b-4546-83de-3757eb5a2407/contour_next_ez_test_strips_near_me.pdfIn PDF document text
- http://xutasiwewuzaf.rf.gd/letter_cancellation_worksheets_printable.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f6835223-9735-44c6-93c9-8c1b7eecc83a/4681437980.pdfIn PDF document text
- https://def26600-86c9-4442-a738-094ddf2992d1.filesusr.com/ugd/eb5a6a_96a04fdf429c484b9b9fd54a8e168587.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001188e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1188E | 5608 bytes |
SHA-256: 60f0a1084a6a515401943cd7285c721f456e6881f8359226dd595be191fd34e1 |
|||
font_01_sfnt_off00012bd2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12BD2 | 10400 bytes |
SHA-256: 306529b4be77a7f4a291318916f7252b8e4800cc71456068eec48722afb7b64c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.