MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many of which point to disposable domains, suggesting a link farm designed to redirect users to potentially harmful content. The document body, though heavily obfuscated, appears to be a lure related to 'piano sheet simple', likely to trick users into clicking the embedded malicious URLs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/123?utm_term=for+elise+piano+sheet+simple PDF link annotation
- http://scrlt.xyz/humpty_dumpty_cheese_sticks_nutrition_information5mqzd.pdfIn PDF document text
- https://cdn.sqhk.co/logubaxe/fzZuijf/swordman_reforged_mod.pdfIn PDF document text
- http://flipping-car.online/shmoop_atonement_part_2jrmzx.pdfIn PDF document text
- https://pigaxapi.weebly.com/uploads/1/3/2/8/132815084/tavuwobulin-muvipibi.pdfIn PDF document text
- https://ronogutelujevur.weebly.com/uploads/1/3/5/9/135956648/47dd1b962d4.pdfIn PDF document text
- https://cdn.sqhk.co/xorakulenido/pgvqQQh/arduino_coding_basics.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/aa4e850b-da9f-4cb5-95ee-391915b51592/60328499924.pdfIn PDF document text
- https://2a4065d7-883d-43e8-a524-7ce9aa4b4e88.filesusr.com/ugd/ccb1c6_910aaeaa4cf64d23885e014fa3992187.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/zuvovoxigumuz/humphrey_visual_field_analysis.pdfIn PDF document text
- https://6d251753-49d0-4f5b-a278-10ed1cacc9d0.filesusr.com/ugd/5c139a_a7fdaebf17e3444fb8fe07ebe94b819b.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d16849d6-76c7-4b5e-b833-663d6e9594cf/free_grammar_worksheets_for_grade_5_with_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/642fd330-da97-4cbe-8c61-5ad8f19093f4/maserati_granturismo_2012_price_new.pdfIn PDF document text
- https://d6d3a1c5-32ce-46e9-ae92-c5b8d84d65d9.filesusr.com/ugd/a3b54b_4d95d969c5fe43f490ee08be0b710265.pdf?index=trueIn PDF document text
- https://9f53eded-325d-4e02-8430-7c09bd872488.filesusr.com/ugd/e04405_4da5d973fecb4710b4e2a6fbae451d60.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/eb079337-8290-42bf-bc21-dfcf1ee68c45/sony_cyber-shot_rx100_viii_release_date.pdfIn PDF document text
- https://s3.amazonaws.com/wovugi/15462943767.pdfIn PDF document text
- https://s3.amazonaws.com/kaxukok/13068044426.pdfIn PDF document text
- https://4a1cfc67-5981-466d-a13b-75576fe7431f.filesusr.com/ugd/64e449_fcc9bb67b7fd4b68b254a66c57253997.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/9c2182fc-5d52-4b16-a554-19af59e4899c/data_communication_and_networking_mcqs_with_answers_download.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d925.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD925 | 5012 bytes |
SHA-256: 8fe52584d54064f099f666b69558171d0c8ff134c3405729d6f2f52faae55855 |
|||
font_01_sfnt_off0000ea06.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEA06 | 10792 bytes |
SHA-256: d44771c1b7468b13a0c0fa9d942b21d4dc6d8e30486ed1c2a7e08b8c89946a05 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.