MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, a common tactic for SEO link farms. The heuristic 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' indicate a high volume of links pointing to potentially disposable domains. The embedded URL 'https://pelibifir.ru/wix?keyword=test+3c+ap+statistics+answers' suggests a lure to a website, likely for traffic generation or further malicious activity. The ML classifier also flagged this PDF as malicious with high confidence.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/wix?keyword=test+3c+ap+statistics+answers PDF link annotation
- http://delalikifavaru.iblogger.org/86431886474.pdfIn PDF document text
- https://cdn.sqhk.co/dodufiruw/vjihNhh/frontline_commando_d-_day_hack_android_apk_download.pdfIn PDF document text
- https://cdn.sqhk.co/poronujefino/R0Fheii/hopeless_3_dark_hollow_earth_apk.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://76bf09fe-c378-4d6f-baa9-beaf48595a8b.filesusr.com/ugd/61567a_f035c2c1df07492e8f47f6398d4d8b89.pdf?index=trueIn PDF document text
- https://1e438cd7-6f3b-42ac-a97b-d13a75fa135b.filesusr.com/ugd/0c268c_58c9cba96bf54746bacfec5e03aca180.pdf?index=trueIn PDF document text
- http://sabozet.epizy.com/19170623359.pdfIn PDF document text
- http://lajirobodogew.epizy.com/wish_you_happy_birthday_tamil_photos.pdfIn PDF document text
- https://d5bea983-5bca-41ba-aae6-6b688785cc77.filesusr.com/ugd/9ec29b_50f7105ab06148ce812e95737a23b6be.pdf?index=trueIn PDF document text
- https://0778d94d-b67d-49c3-8f6f-43f52d6edec9.filesusr.com/ugd/b85eb0_9c22e6cb35684012a93ff81bcdd347ec.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cb3d0cbf-3fff-411d-b80b-e136db2c7e01/52721710297.pdfIn PDF document text
- http://jajowisomipuw.epizy.com/mevozisilafifa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/84c44e8b-eb89-4d54-b91c-dce249ef2cb7/61630557306.pdfIn PDF document text
- http://birotizedu.epizy.com/guidelines_diarrhea_treatment.pdfIn PDF document text
- https://49b7c339-fea6-4bb3-bf7b-ca47af5263df.filesusr.com/ugd/6ca12d_cc143629e0ff47b7ac87b99f429c4a7a.pdf?index=trueIn PDF document text
- https://73c25812-7308-4b32-b985-10e2a25710ca.filesusr.com/ugd/5b604d_307b4d9c78934a30925d39cef6d2d533.pdf?index=trueIn PDF document text
- https://bb55feb6-a0c4-48ae-8f72-aea2c45912f8.filesusr.com/ugd/b9801a_cacc07cbd0e345c28faa085b63762ba9.pdf?index=trueIn PDF document text
- https://b7e73dfe-ad35-4791-b4f7-7500f5b7882c.filesusr.com/ugd/bc79a4_6f6d5635d12644c5b74f149d618590a3.pdf?index=trueIn PDF document text
- http://vilolosukip.rf.gd/2326927919.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e45c8356-0db6-463a-b7a1-c1ddd776f96c/beautiful_creatures_rio_2.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a75714a0-c293-48a6-9d75-2946a85fc05c/bowflex_xtreme_2_for_sale_used.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001146d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1146D | 5100 bytes |
SHA-256: c126d99c39b3a398c095372162dedfc22336fafe240db7754fc51523ccb44997 |
|||
font_01_sfnt_off000125e6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x125E6 | 11660 bytes |
SHA-256: 051d36b280c6dc42258e610baba900d668cc08cba5fbf5afc30670bec4a10f38 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.