MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF sample was flagged by multiple heuristics as a link farm, containing numerous external links to other PDFs hosted on potentially disposable domains. The ML classifier and ClamAV also identified it as malicious, likely a phishing or SEO spam distribution mechanism. No scripts were extracted, but the structure suggests it's designed to redirect users to malicious or spam content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://oniceh.ru/pbw?utm_term=notes+of+biology+class+10+chapter+life+process PDF link annotation
- https://midizovusataleb.weebly.com/uploads/1/3/4/6/134618082/20cc7badf.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464297/normal_601ec4d511b9a.pdfIn PDF document text
- https://gazobibulome.weebly.com/uploads/1/3/4/7/134775133/jogexuv.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4428083/normal_5fec8ec759e75.pdfIn PDF document text
- https://tizosofamininu.weebly.com/uploads/1/3/4/3/134352685/579624.pdfIn PDF document text
- https://kizegugiruliti.weebly.com/uploads/1/3/4/7/134729255/8614858.pdfIn PDF document text
- https://memuwumobodedo.weebly.com/uploads/1/3/5/9/135974490/284105.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/4c770b9d-5448-40c4-b4ba-5deb6a175903/51491574740.pdfIn PDF document text
- http://sonopewobu.pbworks.com/w/file/fetch/144421047/87252115379.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e723482-800c-4061-afe4-7c8958440787/dijeje.pdfIn PDF document text
- http://damopijos.pbworks.com/f/3560275977.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7b9d27d5-3add-46a4-a8bb-9fecb9788c23/why_is_my_kindle_fire_not_charging_properly.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8a8c6686-a311-453b-a573-42d2cca7b90b/sujupatalefifulenozuk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cdc044e0-8ae4-4066-ba87-1412d5a8584f/indian_philosophy_books_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7dd33aa9-0a5d-4507-a363-7a6caa7da94d/67737769975.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c8456071-b617-4a24-b4b9-ab747faae309/80028633229.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/70e13458-3d6a-4acd-978d-7de73a71f1de/samsung_55-inch_the_serif_2020_4k_qled_smart_tv.pdfIn PDF document text
- http://xemademeku.pbworks.com/w/file/fetch/144678735/woxotulun.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97101550-f164-48e9-a15d-1efd2b029ef7/13_colonies_map_printable_labeled.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/883d7186-3b34-4e3b-a06d-eeb549f9b463/disable_voice_search_google_chrome.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c2ca2855-2256-422e-932b-cbd1a36e098f/32265121237.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/91b52a6f-78a4-40fe-9a82-8e2f63278190/75524024401.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dd5b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDD5B | 5680 bytes |
SHA-256: 7c9939356c8ae13b134b44ba74058dc54fb8b476b8432cd271d9b67db5eae4d4 |
|||
font_01_sfnt_off0000f0c8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF0C8 | 10456 bytes |
SHA-256: 0d36cc1610a1eba1fe1a79a21549e4b59b984ba40ecccb65d23bf460188d82da |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.