MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/wix?keyword=eureka+pagos+quest+29 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4412154/normal_601491816a915.pdfIn PDF document text
- https://pesasujax.weebly.com/uploads/1/3/4/8/134882000/51ed6dcddc09b2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470228/normal_604baed19ca6e.pdfIn PDF document text
- https://zoditivifu.weebly.com/uploads/1/3/4/3/134316547/4cf7fcaf3.pdfIn PDF document text
- https://vebunigujop.weebly.com/uploads/1/3/4/3/134367951/xikalezuk_jukidijajiwumuk_bexafuvol.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://6b5d12f1-3bbc-48af-9ddb-5430d2fe15e7.filesusr.com/ugd/3bf302_c8c8ba14047146a78c0bb760843dcc9a.pdf?index=trueIn PDF document text
- http://puwomuf.rf.gd/tikuzuda.pdfIn PDF document text
- http://givaradipokez.epizy.com/artificial_language_reasoning.pdfIn PDF document text
- http://lesesopexapawu.rf.gd/85748793910.pdfIn PDF document text
- https://17c3d818-7f64-4152-976a-2fa997d7a7be.filesusr.com/ugd/e2c250_dad826265c83486680e5fef48d2cfc6b.pdf?index=trueIn PDF document text
- https://878ee1be-828d-48b9-a24a-84283cf66a1c.filesusr.com/ugd/86936c_b274bb2582af43f886b0953ce90df22c.pdf?index=trueIn PDF document text
- https://e6b56e3c-1b88-4cfb-972d-ab1702b0a06e.filesusr.com/ugd/8c0e65_2f2a92f86ed14998927f129771beb198.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/02254ba9-1173-4a98-a5df-47cdac50549d/how_to_acrylic_paint_abstract.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/83815fc9-06a9-42e6-a9c3-7bedd12b5065/kung_fu_panda_2_watch_movie.pdfIn PDF document text
- http://sarobot.rf.gd/majirefapevegekeginitejo.pdfIn PDF document text
- http://zometebuwafuwix.rf.gd/nvs_admission_form_2019.pdfIn PDF document text
- http://doruzedom.epizy.com/advanced_technical_analysis_books.pdfIn PDF document text
- http://vumopigaw.epizy.com/ark_survival_evolved_android_mod.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe06.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE06 | 5388 bytes |
SHA-256: bae2026c6ef91977ca43319d2915c26f0b7536ca75da538397ca1aca475c3e89 |
|||
font_01_sfnt_off0001106c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1106C | 11188 bytes |
SHA-256: 8a01cb847f3bbaef7fd648e6b03f8359b64cc6e7781cd25c43948c86f44c668d |
|||
font_02_sfnt_off000136ca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x136CA | 16220 bytes |
SHA-256: 525efa1969ed45ada3a0633ea1ea93af6038d947f26a3acb83cc836ec2ffe7a4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.