MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=what+foods+to+avoid+to+burn+belly+fat PDF link annotation
- https://mezuxanivatanid.weebly.com/uploads/1/3/4/4/134499991/069dd.pdfIn PDF document text
- https://derajuxojop.weebly.com/uploads/1/3/1/4/131452827/zogefuwokivo.pdfIn PDF document text
- http://todolosepaxo.iblogger.org/mafanalutojovid.pdfIn PDF document text
- https://baloxojiregape.weebly.com/uploads/1/3/4/6/134685367/kixamuw.pdfIn PDF document text
- https://kesevure.weebly.com/uploads/1/3/4/4/134497963/2c334581.pdfIn PDF document text
- https://neveloso.weebly.com/uploads/1/3/1/4/131408616/7232804.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/207b1814-409a-4325-9bf3-2d95d82ed268/betiwazovakas.pdfIn PDF document text
- http://jibovofafef.epizy.com/equipment_inspection_report_format_in_excel.pdfIn PDF document text
- http://moxutomib.rf.gd/nepuposulidazemibotu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d992bd89-7342-437f-9d98-08bb605991d1/the_tipping_point_malcolm_gladwell.pdfIn PDF document text
- http://kujewawazereki.rf.gd/curtis_1206_controller_programming.pdfIn PDF document text
- http://ganibozebuzar.rf.gd/91745226101.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6a7fd1de-dde5-4495-aff8-3181915346ac/eclipse_v180_mp3_player_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa2378f3-6a4c-441e-a6f5-e2a45f1adb00/30803748616.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/04df12b3-c977-4ab3-9f8c-ee2ef14c222c/41093273275.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/386bdc8a-cd98-4fe9-9e50-6fd38514d6c9/what_is_the_word_count_of_the_harry_potter_books.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/309f766d-8524-469f-accc-21adbc274ac1/creader_professional_crp123_registration.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5a20ead4-4e61-4926-ad67-9eee9c7c4e2b/kowejakezug.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a9b393c8-6d6f-43b2-be58-449a196a34b2/20347599502.pdfIn PDF document text
- http://jofarasaxorepow.rf.gd/management_science_and_engineering_major.pdfIn PDF document text
- http://xivubijorudi.epizy.com/10th_cbse_board_exam_2019_date_sheet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/037f781b-9fdf-4403-955b-d5355ce41e93/10187522871.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00424091-fc28-4619-831e-52cc7de3000a/67688351890.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001207c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1207C | 5312 bytes |
SHA-256: 4def306848c34e92c10ff8851561739d63cfe87c0639408ca0b16ceb3cac93e7 |
|||
font_01_sfnt_off0001329a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1329A | 11056 bytes |
SHA-256: 3129604ebdeecf03a562690e152b23c04ad610424c49a423641429b14027907c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.