MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM'. The primary malicious URL identified is 'https://crysiq.ru/pbw?utm_term=instalaciones+de+gas+becerril+pdf', which is likely part of a phishing or content distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crysiq.ru/pbw?utm_term=instalaciones+de+gas+becerril+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4422136/normal_60384bce0465c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4488130/normal_604bcbe9c5694.pdfIn PDF document text
- https://weziriditovi.weebly.com/uploads/1/3/4/1/134108838/vupifutifawaxosu.pdfIn PDF document text
- https://naxaludegefow.weebly.com/uploads/1/3/4/7/134776308/soxopu-somivodatoj-zevawinogijo.pdfIn PDF document text
- https://xulobefopit.weebly.com/uploads/1/3/4/3/134349373/20ce9cf04d.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4373749/normal_5fe39132dfcdd.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4495997/normal_605219b65d84d.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/82470cbd-f738-4155-b3f0-fb28caee30f6/lafometi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e5429bf1-f6a3-4d9d-ad12-441872a47612/97556825371.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/88af6250-151d-4035-9521-a29e53266840/the_reserves_of_beavercreek_rent.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/06bdec08-9232-48c2-bc91-430147ff7b4e/85148501087.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e66094e7-3982-4188-b4d9-635231055ae6/how_to_fix_a_small_engine_with_no_compression.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/60dcc6eb-9f3e-4acd-81bc-fa3d6f2f43e5/nidevu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/58fd166d-1f75-4884-8ea3-afb398f9de96/bexidipewanoranorovogole.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2f3186cb-8438-43b4-808d-90487ce44bda/godow.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6632f836-d123-4117-8720-c5529128bf34/soundcraft_ui12_ui16_power_adapter.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b28e7e92-63a6-4f55-ae6e-2a9cfa364ce5/tewusepigabodizanolalaj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/936fe319-455f-4c86-8d53-1463555063be/ripusanemasatepeluza.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/57c91a86-12ed-44a7-aa99-1b184636136b/83382816920.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b400b4d-0923-47b0-b350-4cc918b9b0fa/specialized_speedzone_sport_wired_computer_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/06de5be2-c089-4d0a-ba9b-ab835176168a/sozerenadigirovixobof.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/df95fe14-26e8-442e-9c22-362767175e9b/fejadudavuvajin.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f4fa.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4FA | 5188 bytes |
SHA-256: 9db2a0060ee027617b7f4e5c0892451e3ceb403324778c3e0d489b7910652393 |
|||
font_01_sfnt_off00010691.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10691 | 12320 bytes |
SHA-256: 57cb8877dc2fd4d92e918eef43192cb31fad0493cb593995a24ea906b73daff4 |
|||
font_02_sfnt_off00012e29.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12E29 | 4324 bytes |
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.