MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO poisoning tactic. The ClamAV detection and ML classifier indicate malicious intent, likely phishing or malware distribution. The embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' strongly suggest the document's purpose is to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9927
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/strik?utm_term=fearless+mp3+song+download+mr+jatt PDF link annotation
- http://ighelperscenter.com/918406371413ppgn.pdfIn PDF document text
- http://perevozka.ru/propresenter_7_free_medias9dsv.pdfIn PDF document text
- http://trelon.fun/pharmacotherapy_dipiro_10th_editionusobb.pdfIn PDF document text
- http://mukumalatixuji.iblogger.org/aitken_spence_hotels_annual_report_2015.pdfIn PDF document text
- http://sipoxamux.22web.org/kef_ls50_wireless_guide.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/cd71b7fc-d311-42c9-8193-4295115a5b69/vikekulutedoje.pdfIn PDF document text
- https://s3.amazonaws.com/norozovijalu/dedomezodokubezureb.pdfIn PDF document text
- https://s3.amazonaws.com/fojaxexino/bissell_powersteamer_pro_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a427e0c2-224c-4bd3-b247-03d99908deaf/gubifafujozapili.pdfIn PDF document text
- https://s3.amazonaws.com/fofeguj/zidukulurazikagitawi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f44dc653-2e40-4ba7-99bc-6e8cdb9e99da/architecture_oculus_define.pdfIn PDF document text
- https://s3.amazonaws.com/luramamelolem/define_debriefing_report.pdfIn PDF document text
- https://f27bca7f-571c-471d-9e77-92385e6dfcd0.filesusr.com/ugd/9a0fa1_f1ceadacc2c2413fa0bfe81674d43b25.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/fapaga/graco_travel_cot_music_instructions.pdfIn PDF document text
- https://ec5c17a1-061e-4a2c-a9e6-b3561ba71229.filesusr.com/ugd/299074_c69c7a6ada7249e28b8535382c13ae66.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/06026db5-c34b-475c-9262-6e8c6fa886c4/black_and_decker_18_volt_lithium_battery_charger.pdfIn PDF document text
- https://30de3caf-c510-4ce9-8691-b8280dc60d9b.filesusr.com/ugd/4980ee_5a00ddea13974cb1b59b6308f9014de3.pdf?index=trueIn PDF document text
- https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_fa45e00f283847699365f5c7fc2370e9.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- https://savannah.gnu.org/projects/freefont/In PDF document text
- http://www.gnu.org/licenses/In PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ee4f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEE4F | 6508 bytes |
SHA-256: af01be969e593b3dd735d83b06e8c91fff99a75c2d64d06d7b4c75f7fd14a8e1 |
|||
font_01_sfnt_off0000fe56.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE56 | 2880 bytes |
SHA-256: 73e95823cac94483bc0534e7df5546d784cd8097fc2b0cd0989c02c37830543f |
|||
font_02_sfnt_off00010898.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10898 | 5308 bytes |
SHA-256: 463977020b689af357f3544aba5f4e405c1d25ec3fc1a7604118c3ee8d786d01 |
|||
font_03_sfnt_off00011aa4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11AA4 | 7228 bytes |
SHA-256: e43ff74e8329f1d085ead08bd23837bb8ae894c4a5c9331fd519c7808b3ff71e |
|||
font_04_sfnt_off000131b3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x131B3 | 2588 bytes |
SHA-256: a97ca08162d97cb9875df6bd2694da6d6dc04da65e45b2bb52fd3675b7d019b3 |
|||
font_05_sfnt_off00013cf1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13CF1 | 12520 bytes |
SHA-256: ae98fa2e126429d731405f73bdf36fe17a82b90ff28b63096510ce28a581c36b |
|||
font_06_sfnt_off00016702.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16702 | 16400 bytes |
SHA-256: 8a2c257830d752b9db42df6adda505028570fa7c63abc04de192d83bd8822b76 |
|||
font_07_sfnt_off00017d26.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17D26 | 4324 bytes |
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.