MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
This PDF document exhibits characteristics of a social engineering attack, specifically a ClickFix variant, by presenting itself as a technical guide to prompt user interaction. The presence of a mass external link farm and embedded URLs, including one pointing to a potentially malicious domain, suggests an attempt to redirect the user to a malicious site or download a secondary payload. The ML classifier and ClamAV detection further support its malicious nature.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://leonvi.ru/strik?utm_term=how+to+check+hdd+serial+number+using+cmd PDF link annotation
- https://buxudirikebipur.weebly.com/uploads/1/3/1/1/131164004/299ef.pdfIn PDF document text
- https://latovadavubu.weebly.com/uploads/1/3/4/7/134716683/sopedarilipazufovo.pdfIn PDF document text
- http://vupataxisuro.22web.org/lenanurefelupan.pdfIn PDF document text
- https://vaseviga.weebly.com/uploads/1/3/3/9/133986607/5446167.pdfIn PDF document text
- https://simokatojerosu.weebly.com/uploads/1/3/0/8/130874490/5a7d33.pdfIn PDF document text
- https://lufuzanexitib.weebly.com/uploads/1/3/4/8/134859686/49b9bccd.pdfIn PDF document text
- https://bupulaserora.weebly.com/uploads/1/3/1/4/131437689/xijokekenekodu_nijegetumi.pdfIn PDF document text
- https://muwefojiginilu.weebly.com/uploads/1/3/4/5/134512592/pavidoduma.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/kugelilizibuwum/tubufuvuxoxavesunibepa.pdfIn PDF document text
- https://s3.amazonaws.com/bugutaj/bhagavathi_movie_free_mp4.pdfIn PDF document text
- https://s3.amazonaws.com/welanisowari/jiligijalomemabaluri.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/51de8bf5-5c2c-4e26-80f2-1b96e2b239ee/what_are_the_roots_or_zeros_of_a_quadratic_function.pdfIn PDF document text
- http://bolekatu.rf.gd/jomifibivijiza.pdfIn PDF document text
- https://s3.amazonaws.com/ravuxudibure/62209193294.pdfIn PDF document text
- https://d4cba69e-f3c5-4a64-9e40-69ba24924691.filesusr.com/ugd/b73feb_2398c46a2f18495b96148d895868eb85.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d3995aef-34f7-48f6-b991-a2a1a50b3f90/yogi_bhajan_kundalini_yoga_teacher_training_india.pdfIn PDF document text
- https://4d75d3c9-3a4d-4df6-84ab-e48b83d723e5.filesusr.com/ugd/cdb50c_12b75a9af602489490e66d079260d848.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/615b0ea0-7f71-4caf-97ee-2762cc026b86/gusotodubikudopopi.pdfIn PDF document text
- https://2b08c346-38d8-4763-b559-bb9d4fff2313.filesusr.com/ugd/40c9d6_db1baaa0fdb342d0ad23b55fe1070a14.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/2f64d249-2f90-4ebe-a620-f0b417df620c/how_to_fix_roomba.pdfIn PDF document text
- https://eadb47d6-6712-4ecd-aa5a-2cdcf2d90b86.filesusr.com/ugd/c844bf_fa78eb3ce321416588515d4017772014.pdf?index=trueIn PDF document text
- https://fa5d8e44-005d-4c05-925d-ba60cb7f5023.filesusr.com/ugd/121e37_5400b3d43f904389aa8a73d7c49d2811.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f4c9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4C9 | 5612 bytes |
SHA-256: f4b95d066359ca4fe1aa0a157b8e71d796d1df20d99a223def644130b65bab0b |
|||
font_01_sfnt_off000107be.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x107BE | 10792 bytes |
SHA-256: ba6e789a1c3b13a24018bbc621510b85e54b78bb6910de1f0658c09b59723065 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.