MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nipisod.ru/123?utm_term=cait+guide+aram PDF link annotation
- http://mekujoviwe.mypressonline.com/dosononiriva.pdfIn PDF document text
- http://keniworu.mywebcommunity.org/zafubija.pdfIn PDF document text
- http://avtoshkola-region26.ru/mini_dv_md_90_user_manualo1pca.pdfIn PDF document text
- http://forsage.pw/91135350725tuojb.pdfIn PDF document text
- http://catsism.com/radians_to_degrees_formulaums7w.pdfIn PDF document text
- http://women-ita.space/jerixekekufmgjc.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/cc718661-2ec4-447b-b308-b18fc7c9bf21/the_way_of_the_world_bangla.pdfIn PDF document text
- https://0eaabcdb-938a-45a6-85a3-1a7d796bbcdd.filesusr.com/ugd/8d6d25_f52ed4ab76964f95b6ff15ea634eb23b.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/e5c0abb6-967b-4025-807a-ab66ae3a898c/phd_research_proposal_sample_sociology.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/76900ddb-4ee8-4a88-85fd-5150fd4b6617/87786629225.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6703284d-fbd5-4b3b-8640-64e436216452/polaroid_z2300_charging.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/af226e3a-ec8b-450d-b5a1-8a7b49241aa7/11126558197.pdfIn PDF document text
- https://67258aaf-84c5-4a88-bfd2-1aa7ddb6c27a.filesusr.com/ugd/850f07_f397de3c363b442ebfe7dfd17e12b43f.pdf?index=trueIn PDF document text
- https://ba789de2-c385-43ee-b32d-a34c698d1993.filesusr.com/ugd/b7082a_c3d2302cb4f7486fae9915b320236ce8.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/93e26988-b9b5-4b1b-80b0-dc7c79f0a9ee/ninja_professional_1000w_blender_bl610.pdfIn PDF document text
- https://7b9449e5-51e9-4a7e-81f5-8587c42320f9.filesusr.com/ugd/571bad_69e74da1be364c77b71324d8b52ea8cf.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/22f2f31c-041a-417f-aa33-cbce699941da/92776651467.pdfIn PDF document text
- https://27f1a270-5048-4778-87f0-574dfe85248a.filesusr.com/ugd/b7306e_dd690b25e1104a71b781ffbcf9d68677.pdf?index=trueIn PDF document text
- https://ab60d57a-1f92-408f-9079-0b325776b613.filesusr.com/ugd/724fb5_405be84de1144d6681a909a8758c4c16.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/eb0f772a-0c0d-4d04-a08f-c49ef5989c3a/bowuliweposeximig.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d97ce8aa-0d0c-4e8e-ac0d-6ced77dbf62c/76572387447.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3ada336e-d5fe-41c9-be1f-b10ba6cdff7b/learn_photoshop_cs6_for_beginners.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f40f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF40F | 4840 bytes |
SHA-256: 11fa2c04212505164823447e76cb7b136f9eb7933a44fd2bd0ef6cbdd242608a |
|||
font_01_sfnt_off0001046b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1046B | 11060 bytes |
SHA-256: 4689d910663dc94e020c1fad1822a9ab5ac3d8337cfdf775f423f0fbc5612d10 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.