MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, many pointing to disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The PDF_SEO_DISPOSABLE_LINK_FARM heuristic indicates a deliberate attempt to create a large number of links on potentially untrusted domains.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/strik?utm_term=how+to+read+line+diagram+electrical PDF link annotation
- https://cdn-cms.f-static.net/uploads/4408853/normal_604bc53e3071f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4404953/normal_604d3f9301f85.pdfIn PDF document text
- http://uspex22.online/human_anatomy_and_physiology_laboratory_13th_editiontbrrn.pdfIn PDF document text
- https://panulozeti.weebly.com/uploads/1/3/5/3/135351273/2a57fafdab5.pdfIn PDF document text
- https://wafebunutixiwi.weebly.com/uploads/1/3/4/1/134109037/d02e8bc94fd4ee.pdfIn PDF document text
- http://workmonster.net/anime_music_piano_tiles_ost_mod_apkt1jcz.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413373/normal_6043194f17606.pdfIn PDF document text
- http://qwert-ita.fun/6063403037333nvr.pdfIn PDF document text
- http://evatopshop.xyz/diraxawupam2t20s.pdfIn PDF document text
- http://okstore.info/what_type_of_questions_are_asked_in_llb_entrance_examjavcq.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/1bc9b877-81b1-4d81-a23d-58bcb2655697/what_does_heat_mode_in_ac_means.pdfIn PDF document text
- https://s3.amazonaws.com/vifusupegiza/jirapexudujaruxebuges.pdfIn PDF document text
- https://9d349da1-218b-4b59-9e37-2a90cab56d40.filesusr.com/ugd/de9003_3de7344919d244129b91f1022c327a6f.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/gurupixabogivaz/55213715995.pdfIn PDF document text
- https://s3.amazonaws.com/jinotugiwomo/coca_cola_sustainability_report_2016.pdfIn PDF document text
- https://6739ca04-605d-4ff4-b4c9-4e5bd75a7819.filesusr.com/ugd/031dda_d99011a1aad147b283531762e1927445.pdf?index=trueIn PDF document text
- https://92ddf5cc-4ce7-4caf-b117-8241c553a727.filesusr.com/ugd/42bae0_33a7c31762254cb9aaf79a61ca6195f0.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/retisovojor/55192710529.pdfIn PDF document text
- https://s3.amazonaws.com/runuzitexokol/11607812068.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aaca354d-ed73-4f96-a844-a78fe3ed64fc/dajiwobi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/84fdd6e0-5aa5-4788-8876-ea7651379d49/what_is_the_formula_for_volumetric_efficiency.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/95ed7de4-e0d5-492f-9ee0-eeda5e272ff2/pegikep.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8910598f-2b76-4299-8f65-1dcc0971aecc/87798030797.pdfIn PDF document text
- https://7be326e9-a1fd-4761-a84c-83c904220737.filesusr.com/ugd/37e945_3de5e5e80bea4795b489e33ceb5ef58a.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000feab.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFEAB | 5136 bytes |
SHA-256: 627a830a2261712117dc46c8597ddfe5c577d0a2eaec07ddf33c22177355749d |
|||
font_01_sfnt_off0001101c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1101C | 10552 bytes |
SHA-256: bd49b8977944ff89d5079f7cc85526fd546f0c3698eb0ae0a54d681a3c56505c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.