MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded URLs pointing to external sites, suggesting it functions as a lure or redirector. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' further supports this, indicating the PDF is part of a link farm on disposable hosting, commonly used for phishing or distributing further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.7561
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crewmak.ru/uplcv?utm_term=comment+annuler+une+mise+a+jour+android
- http://remontnoedelo.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16135585e71a0a---52143899643.pdf
- http://hkwwta.org/userfiles/44750467606.pdf
- http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/16142893d8434b---feziluvepuvuviratatex.pdf
- http://kleinschadenexpert.com/userfiles/file/tadubojedomovu.pdf
- http://elsped.hu/files/file/49470604791.pdf
- http://acecaalcoy.com/userfiles/file/55376063594.pdf
- https://brs.jo/userfiles/files/xazaruje.pdf
- http://mynotary.ca/sites/all/sites/mynotary.ca/files/jesutafarekonat.pdf
- http://stroytehcentr.ru/images/file/rebesosesifunedekow.pdf
- http://indecomavo.pl/userimg/inc/14605450348.pdf
- https://indoshaolinkungfusociety.com/ckfinder/userfiles/files/57602644703.pdf
- http://quaisetoiles.fr/img_pages/file/zakovusibimarexetid.pdf
- http://studioguidobarbieri.it/userfiles/files/99241180567.pdf
- http://ifap.it/images/file/86118659504.pdf
- http://aibasylhet.edu.bd/app/webroot/ckfinder/userfiles/files/90627585449.pdf
- http://thaifilmind.com/UserFiles/file/nirekujusudowisos.pdf
- https://santa.my/images/users/00000000/files/wozejejugidor.pdf
- https://reazfarah.com/ckfinder/userfiles/files/36121554643.pdf
- http://auswallendorf.de/userfiles/file/wuvoz.pdf
- http://jessie.vn/images/ckeditor/files/xuremuvofuja.pdf
- https://mp2020.csysadmin.com/ckfinder/userfiles/files/repesilefo.pdf
- http://giaydantuongphongkhach.net/images/news/file/61898162573.pdf
- http://andreaslasnik.com/data/files/59357095702.pdf
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d804.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD804 | 16792 bytes |
font_01_sfnt_off0000f016.bind2bfa1d3336a71477ca0ac3ae80a51176ebda8450e72923e8a622ecdfa6fb44e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF016 | 19608 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.