MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document contains a large number of external links, many of which point to disposable hosting services, suggesting a link farm or phishing campaign. The embedded URL 'https://fokemale.ru/wix?keyword=google+drive+dunkirk+harry+styles' indicates a lure related to popular search terms. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/wix?keyword=google+drive+dunkirk+harry+styles PDF link annotation
- https://cdn.sqhk.co/ninulekuto/qDevnii/duvajijowefonojanekawere.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367299/normal_60373b5bf3a43.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454180/normal_5fdb6937b8183.pdfIn PDF document text
- https://cdn.sqhk.co/gotakavapu/8Njhhjp/dunkaroos_oreos_for_sale.pdfIn PDF document text
- https://cdn.sqhk.co/rirexiwudag/ieJiemh/red_lobster_specials_for_monday.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470017/normal_602f0e7b50967.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4461485/normal_604857ea93060.pdfIn PDF document text
- https://cdn.sqhk.co/lexikegije/gijvahb/49147913790.pdfIn PDF document text
- https://cdn.sqhk.co/xadakede/LRjeEhe/the_chosen_episode_2_plot.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4370077/normal_60048760b927e.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cae2aa39-5014-47ec-b549-0fed73f36d02.filesusr.com/ugd/c8683e_9e5a0fc4c6c8436da9d9e123f1adadd0.pdf?index=trueIn PDF document text
- https://e1d5fa5a-667c-4d22-bb72-2ec96b4ed0f7.filesusr.com/ugd/01f30d_ce325767736d4622bfb148a76d37772b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tanikanaw/secure_folder_android_6.pdfIn PDF document text
- https://s3.amazonaws.com/lanaladu/90306908893.pdfIn PDF document text
- https://dec4a425-646e-450a-80ca-a73a75d058ad.filesusr.com/ugd/ba3095_20e0fb65c8874d749a81c304012f277f.pdf?index=trueIn PDF document text
- https://09ec9d85-9312-4337-94d0-b84080e05f2e.filesusr.com/ugd/ac0094_df92f5a27d904800b9befcf108bfa137.pdf?index=trueIn PDF document text
- https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_c1a780ae111143cdaab33b4871186078.pdf?index=trueIn PDF document text
- https://d45de9d9-8116-4232-9203-1b9506c390e4.filesusr.com/ugd/a69a10_a9b786f54990403799c5a85f0a321ae0.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/bejenosugede/midejibulatovowiwigozek.pdfIn PDF document text
- https://40785fcd-1e5e-4316-9306-5db1d5795eae.filesusr.com/ugd/2f07a1_173adc572d724b76a76e2f6b88f87d2c.pdf?index=trueIn PDF document text
- https://8f1ef4f7-3f23-41ef-a3d6-4e5873a175a2.filesusr.com/ugd/d318ce_381eecc3b6344f04a744d015bfc9dddc.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tonemakopinibem/pomefolexo.pdfIn PDF document text
- https://1c019786-7048-4615-837a-ae53f087c4ae.filesusr.com/ugd/8b4172_8c48837751ed4042a21432baa747d5d5.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f9e7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF9E7 | 5344 bytes |
SHA-256: 75ee4ab8df5e7d6c566ac470ea676a0a824c0fb983f693ff955b8ad168c6750f |
|||
font_01_sfnt_off00010c1c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C1C | 10984 bytes |
SHA-256: 435f92e6e275f87024404dbc413ac7aac0882b7ad7d4ac8487ab5befab35ba23 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.