MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous embedded URLs, including one that mimics a search query to trick users into clicking it. The PDF's structure and embedded links suggest it's part of a link farm designed to redirect users to potentially malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9982
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://golowaki.ru/strik?utm_term=how+many+days+is+paternity+leave+in+philippines PDF link annotation
- http://lobabinuladeri.medianewsonline.com/naligibarubuvopatejilim.pdfIn PDF document text
- http://firolinulaka.22web.org/aditya_hrudayam_in_tamil.pdfIn PDF document text
- http://bikelumonekodex.mygamesonline.org/rapubobubiwunukov.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4457563/normal_5fc610d84fc61.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476001/normal_603e2e0749a5e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4406170/normal_602e45ae36e33.pdfIn PDF document text
- http://rifijetuvijilam.medianewsonline.com/53125109887.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4421783/normal_5ff4bf80bded1.pdfIn PDF document text
- http://gedobitubojufu.iblogger.org/anticipatory_guidelines_for_5_year_olds.pdfIn PDF document text
- http://tijukilebag.getenjoyment.net/the_lost_continent_wings_of_fire_book_11.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- http://vilolosukip.rf.gd/28841562943.pdfIn PDF document text
- http://fozosoripivo.epizy.com/barinam_inna_sathutin_song.pdfIn PDF document text
- https://aefb6378-f3ca-470a-b9d2-22936542d087.filesusr.com/ugd/fe129c_2abb9f7a19334ac699a33e8d3651ca4c.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/fojaxexino/xiaomi_mi_bluetooth_speaker_english_manual.pdfIn PDF document text
- https://937a8a2d-b41a-4163-aff8-eda6db263557.filesusr.com/ugd/21e6f2_e6180e2a9b614e2f881a761bb1d7c53e.pdf?index=trueIn PDF document text
- https://144c9d4d-401b-437b-b89f-6a5816d7da47.filesusr.com/ugd/cd33f5_311f5871628a4b6da0d60b97811f8d3f.pdf?index=trueIn PDF document text
- http://tadezaxe.rf.gd/integrative_literature_review_vs_systematic_review.pdfIn PDF document text
- https://6448a590-b571-4b71-a9e4-820b8531b153.filesusr.com/ugd/782be2_b12cdd86789b473892668fa5690b7ed8.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/libusamagowuvo/worefewosewatilimuxet.pdfIn PDF document text
- https://29c5b005-6627-40e3-9da1-9f9d3dbc34dc.filesusr.com/ugd/7ad284_312cefd238894bf1ade942fb852018c6.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/semuxemakaw/51062400686.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0001d149.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1D149 | 17136 bytes |
SHA-256: da0c66277aa02f78009ec3e89a1715915522672b02504a8a9bc74e42b8397889 |
|||
font_00_sfnt_off00017783.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17783 | 8360 bytes |
SHA-256: 8654e43e22d7b0e8b931041ec17fd6ff737e7404c0cba535436ef8f1a6cb8d97 |
|||
font_01_sfnt_off00019357.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19357 | 5200 bytes |
SHA-256: 55e4338ea4bfa4d917e537ee8125dd1cc3209b62713e7e1909876685adf7fcc7 |
|||
font_02_sfnt_off0001a4e7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A4E7 | 13920 bytes |
SHA-256: 82f47763df78011d6587ca7bb3e750d9fedb8b90bcb4578b3af77660633638bc |
|||
font_04_sfnt_off0001ea3b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1EA3B | 4324 bytes |
SHA-256: a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.