MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm designed for SEO manipulation or phishing. The primary URL, 'https://xezojetit.ru/wix?keyword=recovery+account+password+facebook', indicates a phishing attempt related to account recovery. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/wix?keyword=recovery+account+password+facebook PDF link annotation
- https://cdn-cms.f-static.net/uploads/4492574/normal_602eecbc19ee0.pdfIn PDF document text
- http://marketitaly.info/gituxikelanakurudjfw7l.pdfIn PDF document text
- https://cdn.sqhk.co/zudilubal/Uidlija/torque_burnout_unlock_all_cars_apk.pdfIn PDF document text
- https://cdn.sqhk.co/baxoladipezu/8hbKyNK/16041987695.pdfIn PDF document text
- http://keepsufi.space/61025145483muv05.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379605/normal_5fe74bc3aa615.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447649/normal_602e33b2237d9.pdfIn PDF document text
- https://cdn.sqhk.co/kajurineg/jb37jbU/super_vpn_for_pubg_mobile_download.pdfIn PDF document text
- https://cdn.sqhk.co/labifikup/Ygjjohh/bexaxotimomuvivavavexof.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/50dc6063-2bb9-4551-a517-fd0b13a4e93e/nescafe_dolce_gusto_coffee_machine_instructions.pdfIn PDF document text
- https://13adc596-845f-4f4a-b539-e2c04a0a4b5a.filesusr.com/ugd/6e2da7_0951567d51f746b394491584bb6320f5.pdf?index=trueIn PDF document text
- https://2863666b-9d79-467d-9aad-9eeb6dafbdf2.filesusr.com/ugd/6ee3eb_8d8e0e8e03de4fff96fb36276c18f5ba.pdf?index=trueIn PDF document text
- https://e114ad41-1367-46fe-a5fd-427bf640f69d.filesusr.com/ugd/a63c55_bbc1f55443574a39b8e617c0f21c4ec3.pdf?index=trueIn PDF document text
- https://7c9e9c40-2b96-4f88-8065-b5ff5e495659.filesusr.com/ugd/3bfcae_855b334c18a34d02ad60b05f2e533218.pdf?index=trueIn PDF document text
- https://6ce95562-7558-49ee-a7b0-b3003db3b0e9.filesusr.com/ugd/d13e1f_60d1798b72d34a9fb01743add7f06398.pdf?index=trueIn PDF document text
- https://5b3fc17b-a4fb-4144-9a53-ff617e35bc6a.filesusr.com/ugd/696117_ef3d40838a534bb1a339066e25402d69.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0e1222d1-7a1a-4db3-b286-4c291dfe9791/11363484992.pdfIn PDF document text
- https://6cb1c90e-07cf-4522-b85d-4edd8abc33c8.filesusr.com/ugd/0c41e7_e7681e461bc64fcd84895f7d3e2bec23.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cf18ca60-a73b-4daa-a378-25d60e877f82/wopajepugikivaminejo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010716.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10716 | 5584 bytes |
SHA-256: ebd16e2922d6f8634c408bf977037fd139d22b3bc6216abb88738706b6693c8c |
|||
font_01_sfnt_off00011a3e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A3E | 14724 bytes |
SHA-256: 3c46bf3648e0ea2ed30669325cef22cdfbd946bd04a52b3d716694570728c7a2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.