MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan delivery mechanism. It contains numerous embedded URLs, many pointing to disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The document body, though heavily obfuscated, suggests a lure related to a 'family tree chart template', likely a pretext to disguise the malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/strik?utm_term=family+tree+chart+template PDF link annotation
- http://deutschebank-meine.com/apeman_h45_trail_camera_instruction_manuallc427.pdfIn PDF document text
- http://tuvurebomiworo.scienceontheweb.net/diploma_applied_mathematics_1.pdfIn PDF document text
- http://babysampler.com/pro-sumer_power_ii_ebookr6ire.pdfIn PDF document text
- http://xsafak.com/9212793994803vnc.pdfIn PDF document text
- http://bufezipuduxev.mywebcommunity.org/ateten_gmlek.pdfIn PDF document text
- http://biniwitovo.mywebcommunity.org/42395559181.pdfIn PDF document text
- http://gedirobidepud.scienceontheweb.net/56972684679.pdfIn PDF document text
- http://loveantravel.xyz/how_to_make_balloon_animals3rmyn.pdfIn PDF document text
- http://bestita.space/2891770353213hvf.pdfIn PDF document text
- http://zexofezureza.iblogger.org/hungry_shark_evo_apk_android_oyun_club.pdfIn PDF document text
- http://nowatora.22web.org/attendance_management_system_using_face_recognition_report.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/wazotojemov/how_to_fix_ink_pad_epson_l110.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7fe852ac-860e-491c-9f99-ebcd61192612/wopovut.pdfIn PDF document text
- http://saxarivoje.onlinewebshop.net/hogwarts_a_history.pdfIn PDF document text
- http://rogofideb.onlinewebshop.net/taxorufigej.pdfIn PDF document text
- https://s3.amazonaws.com/dixaleko/astera_ax3_manual.pdfIn PDF document text
- http://zowofiz.myartsonline.com/75984897552.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/48109182-8bd4-4b62-b116-d55581ad95ed/how_to_remember_the_atomic_mass_of_first_20_elements.pdfIn PDF document text
- http://budezeja.rf.gd/nagejaluwirirekezuwoz.pdfIn PDF document text
- https://s3.amazonaws.com/dopugaxelelema/kejajidobafivanalivogas.pdfIn PDF document text
- http://lumosaneja.onlinewebshop.net/pes_manual_usmc_2018.pdfIn PDF document text
- http://zopiselewanut.epizy.com/25410644750.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/de1fd8a6-0a6e-48cd-84bc-15b008458ff4/how_to_install_sq8_mini_dv_camera.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/de36108c-dbf8-4777-9360-ed1739f2fda2/manekagafu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/077b1d07-13ee-4ad8-816e-c8b0dbb4d870/liftmaster_not_closing.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb33.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB33 | 5052 bytes |
SHA-256: cfbbed75903a8a7fa5053f2ed06b79ce75c51cfcfe525e895a21b1dda565dff0 |
|||
font_01_sfnt_off0000fc43.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC43 | 10524 bytes |
SHA-256: 89b71fe0d9f3daafed7fb80d0d5377b0db331859c6f3d253b250d6e5ba921300 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.