MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xajibur.ru/strik?utm_term=returning+to+work+after+maternity+leave+letter+template+uk PDF link annotation
- https://boxotajisosuni.weebly.com/uploads/1/3/6/0/136086252/malames-tozajiduzu-wotudoto.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476294/normal_602c3dd0dc8b4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4465144/normal_606629729f8ad.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4497395/normal_603902d4670b3.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4378171/normal_5ff6572708526.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4492897/normal_60212ba7bcf82.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416319/normal_60202ec34780c.pdfIn PDF document text
- https://rejuxugojovi.weebly.com/uploads/1/3/7/5/137512777/duxegafarip_sefese_jekamokarokok_zaferisakupo.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490929/normal_602c4ce4d9acc.pdfIn PDF document text
- https://konatewed.weebly.com/uploads/1/3/4/6/134692195/lorepiroke-baroxipogoz-peliwubiriga-buluriwivurefu.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4482402/normal_5fc94234eaa08.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4498702/normal_5fc71e4b78511.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4461201/normal_6004c0d497eb4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4403937/normal_604177b68be67.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4410216/normal_5fc7caab15aaf.pdfIn PDF document text
- https://tebifuwufarul.weebly.com/uploads/1/3/4/8/134886387/polewewagafar_kolodalobesav_bijijuda.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/2690a4ed-5b6b-4145-b016-9a6db2facccb/tecnica_seis_sombreros_para_pensar_ejemplo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4ad0da4b-53ea-4d1e-acb1-ed2153ef89bd/how_to_get_real_estate_license_in_malaysia.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e258a8be-68c1-431b-ad08-8b8122dfa947/autocad_webassembly_demo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a52bbf9a-773e-4f8d-8684-566f58229e4b/nikon_n80_camera_for_sale.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a4ec4f06-ff7a-46b0-b115-9200ecee44c8/top_favorite_songs_2020.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fd17.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD17 | 5252 bytes |
SHA-256: b6ea193acb6213d63232fead59c9b99242e306c25ccb801e47900b0a6d37379e |
|||
font_01_sfnt_off00010f06.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10F06 | 11324 bytes |
SHA-256: a65d7678526d290f8be7691e8aafb33f5af63c2552ac70d00a81147d94ef9ef2 |
|||
font_02_sfnt_off00013597.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13597 | 4324 bytes |
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.