MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file is identified as malicious by multiple heuristics and a machine learning classifier, specifically flagged as a phishing trojan. It functions as a link farm, directing users to numerous external websites, some hosted on disposable domains, under the guise of a timeline. The primary attack pattern involves leveraging these links to potentially lead users to malicious content or phishing sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bologen.ru/strik?utm_term=forgotten+realms+drizzt+timeline PDF link annotation
- https://cdn-cms.f-static.net/uploads/4412891/normal_60108f000d89a.pdfIn PDF document text
- http://ritegifufefut.scienceontheweb.net/peniv.pdfIn PDF document text
- http://kevifiregerufug.scienceontheweb.net/jbl_flip_5_review_youtube.pdfIn PDF document text
- http://jefevivavifax.scienceontheweb.net/lejejulibif.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4465131/normal_602dca2a1b7e6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365540/normal_604d230d42a39.pdfIn PDF document text
- https://cdn.sqhk.co/wezufunin/bijTThf/xadal.pdfIn PDF document text
- https://cdn.sqhk.co/zetoreli/hjdidib/bivofisokepejosesutobaf.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485826/normal_605047e14467c.pdfIn PDF document text
- http://peromopativej.mypressonline.com/38717254295.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://sajulugebimisu.myartsonline.com/how_to_replace_belt_and_rollers_on_maytag_dryer.pdfIn PDF document text
- https://ebd73b9a-b255-48a5-b781-2bd84b483b4c.filesusr.com/ugd/956c05_a072703baae54a23a66f8b8df2471563.pdf?index=trueIn PDF document text
- https://78bdfa25-736e-4945-a764-db21511aacb9.filesusr.com/ugd/9bd82e_f0b6dd092ad8484c9274dfbf79e768d2.pdf?index=trueIn PDF document text
- https://b23183eb-b2e5-455e-bc25-91fac1efd10f.filesusr.com/ugd/cc14e4_94d362984d914d19bf4eee79148fa2ea.pdf?index=trueIn PDF document text
- https://2a4b29e6-a790-453e-81e7-e8b9caf2c27b.filesusr.com/ugd/bf0735_d97a0aaef8044a46854c62427a5c3ebb.pdf?index=trueIn PDF document text
- https://03aaa7dd-6608-466c-a68c-f41c59811c05.filesusr.com/ugd/ae15ca_429a906e9e024219a4113eae6566ac47.pdf?index=trueIn PDF document text
- https://4abf464d-34d5-4c80-8de5-e64f30e04530.filesusr.com/ugd/8b3eb5_1743e0ca25e64468a2612be5fa2306e7.pdf?index=trueIn PDF document text
- https://2df275fc-a8dd-466e-be95-33fe0afe7bed.filesusr.com/ugd/9b6d1e_2f97365fb3534e88b40ab5b4e76d6e25.pdf?index=trueIn PDF document text
- https://38a589f5-619b-4230-bc7d-f88d9fc6dac5.filesusr.com/ugd/392051_d6a3090cd3544121bb4cabaaa12173ba.pdf?index=trueIn PDF document text
- https://91ca87c2-c493-4616-adaa-fbcec45394e1.filesusr.com/ugd/6116da_fa369361b0e4435887a4292006b5c2c1.pdf?index=trueIn PDF document text
- https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_af78751d22c54d58bac7f3456ab649bb.pdf?index=trueIn PDF document text
- https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_97706024e5ff4c5785c9d23ff8908141.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ed0e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xED0E | 5152 bytes |
SHA-256: 19f4dc0bb8b9f2992a1d95e31cf78144412e9f86ae3aa3b6289f75219a110d6b |
|||
font_01_sfnt_off0000fe86.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE86 | 11040 bytes |
SHA-256: c83b454e8aa7e101d156e18b6fe5b37b3ba18277f9ba3e10b1a7bcf75af4dac2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.