MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple external URLs, with one being a link farm on disposable hosting, suggesting a phishing or malware distribution attempt. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to open a password-protected archive, a common tactic to evade gateway scanning. The ML classifier and ClamAV detection strongly support a malicious classification. No scripts were extracted, but the overall structure and heuristics point to a phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/strik?utm_term=los+7+habitos+de+la+gente+altamente+efectiva+steven+covey+resumen PDF link annotation
- https://cdn.sqhk.co/wakivunet/hcjaChc/gun_shoot_war.pdfIn PDF document text
- http://islandlandscapesbb.com/wezarerigojixotifugazeck8d.pdfIn PDF document text
- https://cdn.sqhk.co/vipujitebiki/jCNge4A/dizizuseg.pdfIn PDF document text
- http://myirn.icu/lawulakivzlrj.pdfIn PDF document text
- http://zutumufedige.getenjoyment.net/new_technology_in_road_construction.pdfIn PDF document text
- http://kersita.fun/tuzesovizapugasofedo0q72d.pdfIn PDF document text
- http://uorott.com/97905001178qukxu.pdfIn PDF document text
- https://cdn.sqhk.co/dopebuxoz/Hgcqidt/68319718452.pdfIn PDF document text
- http://trycabinets.xyz/42820923134wzzbp.pdfIn PDF document text
- http://ramuwesitavoz.mywebcommunity.org/maytag_washer_appliance_parts_near_me.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://b5b764bc-4fc6-48d7-9a4b-423a4d05f225.filesusr.com/ugd/3f2390_307ab34efb8e49f794f36c6d662f6294.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/4f4961e4-2288-4983-995a-ab4d2da543c1/sonar_platinum_plugins.pdfIn PDF document text
- https://s3.amazonaws.com/gajabedafot/xonifipamuvoletigasid.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/61dccb87-ea45-413e-9e0f-3c51555be77c/tipozizege.pdfIn PDF document text
- https://s3.amazonaws.com/lekezaru/categorical_data_analysis_wiley.pdfIn PDF document text
- https://s3.amazonaws.com/vofadoloves/sezijanenoxasulivajififuf.pdfIn PDF document text
- https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_21f4688a134740fa905ebfe8ea097370.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c5b2dd2d-2a07-4419-873f-1a8340e97e8d/47137139002.pdfIn PDF document text
- https://s3.amazonaws.com/gewuwasi/decode_bitmap_image_android.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2bc5c886-c2cf-4c43-bc9c-e59d4f44b2c3/31934787021.pdfIn PDF document text
- https://17851959-1482-4b49-8222-7b7b0c628459.filesusr.com/ugd/3cb679_99d2576326d643d199048d046accc383.pdf?index=trueIn PDF document text
- https://02408c19-b9f6-4996-a596-1d5b7e46c8d3.filesusr.com/ugd/c83fdb_8847922924874ff7a49912829d697a23.pdf?index=trueIn PDF document text
- http://xufolat.atwebpages.com/west_side_story_maria_score.pdfIn PDF document text
- https://s3.amazonaws.com/vixuwogetiv/wotora.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000db4c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDB4C | 3080 bytes |
SHA-256: 5510861e0701cb7f7f57c1c4f6c9cfe19f8a483cefdede93edc0bf9cc0aea221 |
|||
font_01_sfnt_off0000e654.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE654 | 5760 bytes |
SHA-256: 647f1f5aa1514be2914d2c50c813f35b0f7015e4bf5da4511b80b5803ff9d9d5 |
|||
font_02_sfnt_off0000f9d9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF9D9 | 10908 bytes |
SHA-256: 41a57bab2729ee1b90b2cc88bc4683a347f09cdee19a7b0f985656ba5e9cc224 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.