MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1539 Steal or Harvest Credentials
The PDF file contains numerous external links, many pointing to disposable hosting, suggesting a link farm designed to host phishing lures. The 'SE_MFA_LURE' heuristic specifically indicates that the document is designed to harvest credentials by impersonating a service that requires MFA or a one-time code. The embedded URL `https://irlanc.ru/pbw?utm_term=how+to+fill+income+certificate+form+haryana` is likely part of this phishing infrastructure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
MFA / one-time-code harvesting lure high SE_MFA_LUREDocument asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://irlanc.ru/pbw?utm_term=how+to+fill+income+certificate+form+haryana PDF link annotation
- https://duguzimelape.weebly.com/uploads/1/3/4/6/134666192/jesarunaki_tujizon_voroxaluzabuwup.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4390637/normal_603ff7c3ad4d7.pdfIn PDF document text
- https://bufivenejolerad.weebly.com/uploads/1/3/4/7/134709937/zabadirokidoweti.pdfIn PDF document text
- https://lifalaril.weebly.com/uploads/1/3/4/8/134883644/ae2a0b7bcac1e1c.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4390324/normal_60b0d22f24acc.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4492897/normal_5ff8839e13a4b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4403127/normal_5fe0e0e981c5c.pdfIn PDF document text
- https://sibezabivodigif.weebly.com/uploads/1/3/1/4/131407310/d55f426f5b660.pdfIn PDF document text
- https://ribuxelezisif.weebly.com/uploads/1/3/4/4/134470012/5476962.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4368469/normal_5ff16baa25b96.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/64f492d3-b331-42eb-8628-c6336ae8458a/60518970609.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/10d5acd8-1737-40e3-9d60-2c5af0ea8b3d/best_novels_to_improve_english_vocabulary_for_beginners.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9897bf91-1ae8-4129-876e-e11d3da46110/how_to_mod_diablo_2_lod_single_player.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/af8de6da-2534-4ab7-a060-d184252b771d/how_to_draw_manga_characters_a_beginners_guide.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dcc2a90d-48aa-482b-895b-d925998086b6/lonomalefa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/17704338-d030-4342-b92e-6f8c37def325/beauty_is_in_the_eye_of_the_beholder_dd.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/66a24b46-bca4-4a25-b21c-55351ab4b35b/spanish_family_vocabulary_games.pdfIn PDF document text
- http://jajisaparev.pbworks.com/w/file/fetch/144417720/monapabut.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50f8f696-33cc-401b-b233-48594918ac40/minecraft_mod_1.12_2_comes_alive_espaol.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/80fd56ae-f572-4348-8e84-eec4af8d2dcb/jawobubanuzavapomelikepel.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8f35f82e-5978-4ab1-8ad2-a11f7588b7c2/theory_and_practice_of_counseling_and_psychotherapy_ebook.pdfIn PDF document text
- http://tusoxefum.pbworks.com/w/file/fetch/144473808/dixagezebuzutevudomuwig.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9c700c6f-095b-4adc-bc9a-258fd83ebb3d/perfect_fingerstyle_tabs.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f6f7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF6F7 | 5096 bytes |
SHA-256: 91b90e0ac614c4a8c0d131cbce28e3a30fb06dd90f6ab942f8a4e95b479e23e4 |
|||
font_01_sfnt_off00010836.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10836 | 10736 bytes |
SHA-256: 00c9dd231bc3a17908d7d3a1c5bef6171843163f84255101b455d7c095746b89 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.