MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file exhibits characteristics of a phishing lure, employing a link farm and SEO redirector to disguise its malicious intent. The primary URL, 'https://ketchas.ru/pbw?utm_term=20+amino+acids+structures+and+names+pdf', suggests a deceptive attempt to trick users into downloading further content. The ML classifier and ClamAV detection strongly indicate malicious activity, likely related to malware distribution or credential harvesting.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ketchas.ru/pbw?utm_term=20+amino+acids+structures+and+names+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4380073/normal_5fd3095a5ce12.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4457847/normal_601fa64cbef7b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4480891/normal_604ca5992a9cb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447251/normal_6053e1b648670.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4414495/normal_6068e1fb3f3f4.pdfIn PDF document text
- https://kekoweditolig.weebly.com/uploads/1/3/2/6/132683085/newizafaziv.pdfIn PDF document text
- https://nijifepobolo.weebly.com/uploads/1/3/5/3/135316947/nalazekawidaw.pdfIn PDF document text
- https://ruzutemeba.weebly.com/uploads/1/3/2/6/132681300/vatorojajegafo.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4422163/normal_606a5e7763ce0.pdfIn PDF document text
- https://xuremesedadewo.weebly.com/uploads/1/3/4/5/134500919/xowagoruzi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4408464/normal_60281b7285bbf.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4410459/normal_5fc5816e82224.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/02d42ac6-7c62-482a-bff8-0cb29655c0d9/what_is_the_main_idea_of_in_flanders_fields.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e7a0d20a-94f5-4499-ac88-511db74b7921/how_long_does_it_take_to_bake_costco_macaroni_and_cheese.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2815b0ed-3375-42e4-8d74-e6932056d8a6/28300484354.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b4752d9-d431-4471-aff2-c56c6778b78c/trigonometric_identities_problems_for_class_11.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e86f4e5d-224f-4f4a-870a-2b5ef34e3488/28521500438.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8669c913-79f1-4568-8222-6a736e0d692b/kenmore_he2_washer_instructions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/268281a9-6fbc-439b-9fa4-5aad7a345942/57245916738.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d019092b-fd15-43a7-a9c9-f7f45d8f2f37/folic_acid_drug_nursing_considerations.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c1f5f072-3e31-4e74-815a-23ec3ad11822/how_to_read_ao_smith_serial_number.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f164231a-0f05-4faf-b200-5eb93c293a5d/kafamijafevawifisu.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ffc1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFFC1 | 5448 bytes |
SHA-256: 1619752f0447eb2e478983507e0a80abe857958293c4331f9ae9f083af7bcd57 |
|||
font_01_sfnt_off0001122f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1122F | 10916 bytes |
SHA-256: 8467c6e8a904574ac173056c877be82fbad216b6ef6f8a2ab1abc02eac745005 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.