MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, with one specifically pointing to a URL related to 'frsc aptitude test past questions pdf'. Heuristics indicate a link farm and a potential phishing/malware detection by ML classifiers and ClamAV. The document body, though heavily obfuscated, contains metadata suggesting it's a PDF generated by wkhtmltopdf, and the presence of embedded URLs and link farm heuristics strongly suggests a malicious intent to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9967
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/award?keyword=frsc+aptitude+test+past+questions+pdf PDF link annotation
- https://sonefexezeripu.weebly.com/uploads/1/3/0/7/130739000/xinetifuv-gosufof.pdfIn PDF document text
- https://tezosarotijup.weebly.com/uploads/1/3/4/3/134305137/a991b75ca37686.pdfIn PDF document text
- http://bellissimo.online/java_interviews_questions_and_answers73fxb.pdfIn PDF document text
- http://tokio-2020.fun/wosomop93f81.pdfIn PDF document text
- http://optalpha.com/girezotvcw7.pdfIn PDF document text
- https://wanomumopanud.weebly.com/uploads/1/3/1/3/131379193/6777373.pdfIn PDF document text
- http://meblik.su/research_paper_ppt_templatez0i34.pdfIn PDF document text
- https://rugexivik.weebly.com/uploads/1/3/1/0/131070765/2317f932.pdfIn PDF document text
- https://fimiximokizo.weebly.com/uploads/1/3/1/3/131384127/373595b4384.pdfIn PDF document text
- http://spainsale.pro/stranded_without_a_phone_gamephlxj.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://ac734925-007a-49fa-9a6b-2340142042ec.filesusr.com/ugd/ea78e0_db428916eb8d4711ba068a55f67e6881.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/lekelepowo/is_my_samsung_tv_120hz.pdfIn PDF document text
- https://cee4a208-09ac-40e0-983f-4c2cc776acbe.filesusr.com/ugd/5ed537_6c6dd3e511a9473da638d0db4e9af118.pdf?index=trueIn PDF document text
- https://ed8bc375-cd54-49ab-9ddb-988cb5b2fc3d.filesusr.com/ugd/3f3824_62e8a66dc2d046bb8fad3ca839197acb.pdf?index=trueIn PDF document text
- https://61090d85-22e6-4724-b969-52a17785150c.filesusr.com/ugd/952c2e_cd80ea2dad074a469fd721d46c3d1bc1.pdf?index=trueIn PDF document text
- https://d80868e2-5d34-4dda-9345-0396294a35aa.filesusr.com/ugd/f9fac6_e3eb879d1ee248069833fdecf9248c0f.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/biwuwukesazef/82601228059.pdfIn PDF document text
- https://s3.amazonaws.com/metakibeme/60364128038.pdfIn PDF document text
- https://6129906d-bc82-46a7-99f5-71793a58af3c.filesusr.com/ugd/d162e3_7bf5c2e8fd824f70a75e5148deab14a0.pdf?index=trueIn PDF document text
- https://d064ede3-316f-4d13-8ec5-014b2136b3bd.filesusr.com/ugd/154db6_be09f665cb5245779f8a109946e91488.pdf?index=trueIn PDF document text
- https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_2bc93fd28d9648c1a7563899074ee49b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/ginutu/rajakogi.pdfIn PDF document text
- https://s3.amazonaws.com/winumigutam/how_to_tell_if_your_miniature_dachshund_is_pregnant.pdfIn PDF document text
- https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_b0caf8c1d6da448e9ad12bd54f4c49d9.pdf?index=trueIn PDF document text
- https://4ac36a2f-1533-488b-b282-cf34cdace458.filesusr.com/ugd/bcfc12_8460def1b5f54cafbd1ad17542f7871a.pdf?index=trueIn PDF document text
- https://fe426b01-1dd0-498a-b08e-7ec37e320b94.filesusr.com/ugd/6b45f0_780c6dad6af942218c2ac65ece493c12.pdf?index=trueIn PDF document text
- https://02796127-04ec-4c85-b270-c6f7310ebb18.filesusr.com/ugd/ce0e6d_930568323bf34bba9f0318874be3cde7.pdf?index=trueIn PDF document text
- https://351e5f87-f9e5-4015-92cd-d601692b9ec3.filesusr.com/ugd/a0d0d3_a21a69e3b59142268ad09bbc817dbd27.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011da5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11DA5 | 5200 bytes |
SHA-256: c07e3573bdd429e1d048688dadd9134fcc07dcf54adff5bdf6d705df4a99783c |
|||
font_01_sfnt_off00012f68.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12F68 | 12408 bytes |
SHA-256: b5d7d8b7ff911d42be2865e6ec352225583e15a777bab94383150f36392c3738 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.