Malware Insights
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, containing numerous external URLs pointing to other PDF documents, many hosted on disposable domains. The primary URL, https://mezovuduw.ru/strik?utm_term=james+patterson+new+book+releases+2019, suggests a lure related to book releases, which is a common phishing tactic. The presence of many external links, some on disposable hosting, is indicative of SEO manipulation or a distribution mechanism for further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/strik?utm_term=james+patterson+new+book+releases+2019 PDF link annotation
- http://tolumibawaka.iblogger.org/what_is_the_secret_history_of_the_mongols.pdfIn PDF document text
- https://cdn.sqhk.co/mozoposowi/bhz6jZg/peneme.pdfIn PDF document text
- https://cdn.sqhk.co/neliwuwo/giUsWRR/fijedofosupizi.pdfIn PDF document text
- https://cdn.sqhk.co/diwiporeb/iijbHHe/discovery_family_go_roku.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://6e8b94c7-278c-4a65-9c30-8d61c93a8f31.filesusr.com/ugd/9ff9b8_9844a7c287264b1597311ab59c27fbe2.pdf?index=trueIn PDF document text
- https://e0271a52-a7af-48e9-8a99-924ce320ec62.filesusr.com/ugd/be5703_9b273a76106149adb5728a1d65c18c58.pdf?index=trueIn PDF document text
- https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_3fe828ff1cfe4e7493699d9ca00cf09d.pdf?index=trueIn PDF document text
- https://a21f0d7d-5fe0-4a99-a381-3b18266e0880.filesusr.com/ugd/6c313a_e6d7a2be7b074723b9039ccbb20c6933.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cb865a0b-40bf-471c-82e4-b329127caca3/39717971635.pdfIn PDF document text
- https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_0364966cf0844b6ba0d09c1eec292ac9.pdf?index=trueIn PDF document text
- https://98be45bc-63b9-4117-aff7-84a3d4f2c4a0.filesusr.com/ugd/90c678_798ec865aefa4fd6bc89c527570c227b.pdf?index=trueIn PDF document text
- https://1a6defe7-92a0-4357-8a70-d3bce85d30c9.filesusr.com/ugd/385065_f110091fbafb4b358feb217f42fa4a62.pdf?index=trueIn PDF document text
- https://f815f12b-539f-4060-8ed9-abd2caada31b.filesusr.com/ugd/ceb2e8_ac64acc7a0ad47ee824c55879244292b.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c437252b-2f06-4810-88fb-e6918e5439a3/97586437728.pdfIn PDF document text
- https://0c1adbbe-b65a-4c28-9da2-87cea21e0636.filesusr.com/ugd/496951_14340ffaf5454c609704ecbf13ae3802.pdf?index=trueIn PDF document text
- https://11fe2947-f393-4df3-905d-f9f3730e834a.filesusr.com/ugd/b1b16e_ecd31b65dcd74cfaaf8e0b4d462769eb.pdf?index=trueIn PDF document text
- http://nipesuvaz.epizy.com/17107878950.pdfIn PDF document text
- https://4ef57e19-9a2e-4e6f-a444-f6b59f982a39.filesusr.com/ugd/4c1554_e362795f90ec4fb0af0c7b8595b83d7c.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/5baa3d49-b076-4823-a84b-bf436678af25/7151639075.pdfIn PDF document text
- https://636e06b3-920c-4898-b827-ef778bbbc101.filesusr.com/ugd/40512e_30191480acb24b40ac3ff174dff377ff.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/7f98b95c-9eb2-45d6-8685-c9660f106f7d/wevulupebepi.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011361.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11361 | 5732 bytes |
SHA-256: e42aa68da06a1e516b9618c329ab6e1187ce1719456a3db3bf07f5fca879c7fa |
|||
font_01_sfnt_off000126e8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x126E8 | 11540 bytes |
SHA-256: 7202ba621f156061b1b2099e576b944e1621cd02439f4789258240115575ad4a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.