MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains multiple external URIs, with a primary focus on directing users to 'xezojetit.ru' and 'spainsale.pro'. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' suggests these links are part of a scheme to obscure malicious intent. The document body, though heavily obfuscated, contains text related to a book search, likely a lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/strik?utm_term=libro+de+baldor+algebra+pdf+nueva+edicion PDF link annotation
- http://spainsale.pro/bepulegiberp66z4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4458856/normal_5fd39050390d0.pdfIn PDF document text
- https://roturusuwanowus.weebly.com/uploads/1/3/4/3/134363773/lozeniwosalorezewov.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4465127/normal_5ff8134965ab2.pdfIn PDF document text
- https://nunipotewisi.weebly.com/uploads/1/3/4/8/134892443/bovakukaral.pdfIn PDF document text
- https://toxafowusolele.weebly.com/uploads/1/3/2/8/132815148/ponimewolebilox-meberavumutuvu-kuroto.pdfIn PDF document text
- http://zahlungsservice-ch.site/34649521174m8bd0.pdfIn PDF document text
- http://mangalvpodarok.ru/58059325157cwu0m.pdfIn PDF document text
- https://vadibuxazuxubaw.weebly.com/uploads/1/3/4/8/134855910/xiluvepuk-wapamok-lejaxol-gimifuniz.pdfIn PDF document text
- http://weareanonymous.org/cebuano_english_translator_pro_apk3rt2o.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/85c1b1e5-f79d-44f8-876f-8323a11154dc/how_to_prepare_contribution_format_income_statement.pdfIn PDF document text
- https://54957a25-093b-4cbd-a4f0-8eb5fea931f0.filesusr.com/ugd/8ba634_c48205b38841402eb720c7f666f147cd.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/3adc43b4-4e1e-4f7e-a4c0-683109931d42/87366897598.pdfIn PDF document text
- https://s3.amazonaws.com/divelatoxa/cute_baby_goat_videos.pdfIn PDF document text
- https://s3.amazonaws.com/kesumasaka/37305213719.pdfIn PDF document text
- https://3f5765b5-411c-4b28-96d1-a1e3b219bcee.filesusr.com/ugd/ca847e_eab3bba47262428f8bebfc9cffbb041c.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/pazatuv/bittorrent_websites_to_from.pdfIn PDF document text
- https://s3.amazonaws.com/vokeri/mtd_yard_machine_snow_blower_carb.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ac0d73c2-9fa4-4a32-96c0-5ddea221fa74/how_to_use_fossil_gen_5_watch.pdfIn PDF document text
- https://s3.amazonaws.com/vibuvomomuv/shaco_ap_jungle_guide.pdfIn PDF document text
- https://9e7b01ce-91ce-414a-93c5-ade8df4b7359.filesusr.com/ugd/cfbfd2_0e3a1b7708494c63b1dce36135eabbe5.pdf?index=trueIn PDF document text
- https://7031c68c-cf47-488c-b9bd-b344696616f5.filesusr.com/ugd/51e9e9_f656ab3cf92d4e9c92b4b4d164562062.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/78011932-58ab-4439-a3a9-d37c384ff4f5/lenovo_smart_band_app_for_iphone.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/68eb9b92-9ed9-4b7b-83cc-125bdbd3f475/biontech_share_price_today.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d97e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD97E | 5288 bytes |
SHA-256: fcd011a50224ecff41fb340e2e8f6d81a671f02cef41f79932dcdbc550c299c2 |
|||
font_01_sfnt_off0000eb95.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB95 | 10168 bytes |
SHA-256: e4d2059b42edbd5efad169b8d97785ba85717b274ccaaa8530afbb2c80d0d9e8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.