MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/123?utm_term=lab+report%2523+6.+dna+and+genes PDF link annotation
- https://static.s123-cdn-static.com/uploads/4367621/normal_6003cedee6f25.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4455657/normal_601495d6a43d1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4494875/normal_6035df85e9fea.pdfIn PDF document text
- http://jenerotisa.mywebcommunity.org/81126203322.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4404750/normal_5fc74c08cba97.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://4b5f4e46-8b81-4257-bf39-61fc08ba57b0.filesusr.com/ugd/7ea8bb_246ed78ae65448bd8e6ca1dff92c9a04.pdf?index=trueIn PDF document text
- https://44034db3-6cdd-4729-adf3-7ccd6afcf354.filesusr.com/ugd/9fe9cc_16e5badfc2aa4740ae4587ec81275f1e.pdf?index=trueIn PDF document text
- https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_7f02095d00c246d6926c8f4c9ef7ea64.pdf?index=trueIn PDF document text
- https://f039f7e9-c7fa-441d-bf3d-2f0e35d6be10.filesusr.com/ugd/80685d_230b447e0a11481690c2c02532060e0c.pdf?index=trueIn PDF document text
- https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_a11e5e43e8ea40a0b95332e3660f39e1.pdf?index=trueIn PDF document text
- https://d497f082-4895-42de-a72c-038d9367c8a3.filesusr.com/ugd/8e727b_988b024ed0a4409aa75aec7c2efb987a.pdf?index=trueIn PDF document text
- http://nafaradevofipaf.myartsonline.com/kikobububesuvusokek.pdfIn PDF document text
- https://4647adb0-9c01-46a1-aef1-4380d5873f13.filesusr.com/ugd/edb4a7_5d828d4f9d2643e294b442cdcfa2d682.pdf?index=trueIn PDF document text
- https://29c5b005-6627-40e3-9da1-9f9d3dbc34dc.filesusr.com/ugd/7ad284_345f96eccd0d436396223752d328e360.pdf?index=trueIn PDF document text
- https://6afed14e-2b01-442b-8c2e-11a8a6f39965.filesusr.com/ugd/46a5ae_2a0517857f8b4b8c98c8c63ee8163d25.pdf?index=trueIn PDF document text
- https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_9d67ff44e20a4145822e53293868f082.pdf?index=trueIn PDF document text
- https://2cc12256-1025-444a-bacb-901a9f007bda.filesusr.com/ugd/d1fcfc_b556479791de4acab42ecfb116eac75c.pdf?index=trueIn PDF document text
- https://b5c90759-dbf8-4ccd-b12d-e23c958527f9.filesusr.com/ugd/915a55_0937022d67944be8b1de143bb6cb689b.pdf?index=trueIn PDF document text
- https://58f604bd-1fd8-4cfe-af9b-f15e67d030d5.filesusr.com/ugd/9a7439_7ff751e2b2c344f795a1f7a5e4fcd607.pdf?index=trueIn PDF document text
- https://6acf0ca1-aa41-4771-8b91-54baff69ee7f.filesusr.com/ugd/7d1dc9_f6ec071988e74670941e1648d6711a29.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f669.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF669 | 4684 bytes |
SHA-256: a59c657a08d192b42bba186817569103fe186180cd6161f0a53c858522fe4911 |
|||
font_01_sfnt_off00010665.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10665 | 11824 bytes |
SHA-256: 555471a82e6ca8824de47252e1d568879261a55f0065a2333e04766723e92ee8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.