Malware Insights
The PDF document contains numerous external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious content. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document likely prompts the user to install a fake browser update or extension. While no scripts were directly extracted, the PDF structure and heuristics strongly suggest a phishing or malware distribution attempt, with the primary URL being https://soxebez.ru/strik. The ML classifier and ClamAV detection further support the malicious classification.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/strik?utm_term=dog+fights+caught+on+video PDF link annotation
- https://cdn-cms.f-static.net/uploads/4408858/normal_604048623f128.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446925/normal_603420bc3696a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4462354/normal_603b65b09d5ab.pdfIn PDF document text
- https://cdn.sqhk.co/bakavaxa/b5ghEic/fitbit_charge_3_bands_target.pdfIn PDF document text
- https://cdn.sqhk.co/bijowiroma/ifQFrVo/90317654089.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4456122/normal_5fff2a735c722.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4451035/normal_60465dbca6a12.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/40ef8e56-8188-4aae-8f15-0f44554aa9bd/20329758778.pdfIn PDF document text
- https://9fc80a0e-b25b-4135-afeb-9811a1ea6bf8.filesusr.com/ugd/91e123_6f9c1281508d4040971353cb81c13937.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/fbcc8356-aafb-4081-adb7-3c49b5f3d32d/nexosutekazipalez.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cf94eb30-95f4-4c96-b80d-6c794d057380/what_skills_and_knowledge_are_required_to_communicate_effectively.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/032d3fef-6687-4799-ab60-a8abc2304eb6/mitchell_auto_repair_login.pdfIn PDF document text
- https://56352102-112a-4456-a677-0775450c4ed3.filesusr.com/ugd/ed4e87_a48336774df643b697e634f1dd7b0dea.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/8c9b320f-8e59-4459-a1af-9a4677014801/different_types_of_texts_and_their_distinguishing_features.pdfIn PDF document text
- https://f62823ea-e863-4eb7-bd7c-e3bac0139ff1.filesusr.com/ugd/8c639a_7395784b8acb4a82b6ee06071b61f616.pdf?index=trueIn PDF document text
- https://1c2b20db-dbe1-4299-b4c0-f67d595d3b6c.filesusr.com/ugd/e71423_14ea6f64339a47f8b650a7cb4392fa90.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e873.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE873 | 5216 bytes |
SHA-256: c59d7b9294ad02e833a644d18e047934cdf78cd9f7a14ed8bf64bbe51acccbaf |
|||
font_01_sfnt_off0000fa4c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA4C | 11248 bytes |
SHA-256: 3c2fc7c47ba835d1913966482eef29d62c50ab97de4e4311be906f97a547f0de |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.