MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1204.002 Malicious Link
The PDF contains multiple heuristics indicating malicious intent, including a link farm, a payment redirection lure, and ClamAV detection as a phishing trojan. The embedded URL `https://ponafet.ru/wix?keyword=download+fly+gps+apk` suggests the document is designed to trick users into downloading an Android application, likely malicious. The presence of numerous external links, some benign and some unknown, further supports a phishing or malware distribution scheme.
Machine Learning
- Nyx PDF Classifier malicious score 0.9983
Heuristics 7
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LUREDocument describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/wix?keyword=download+fly+gps+apk
- https://cdn.sqhk.co/teforoke/dxX0hiJ/notification_ringtone_download_pagalworld.pdf
- https://cdn.sqhk.co/tagubutapa/cVgeRje/62417048467.pdf
- https://cdn.sqhk.co/kupejabel/iaieUhh/rollerball_pens_for_sale.pdf
- https://cdn.sqhk.co/dojidavos/m1iagg9/ruderegu.pdf
- https://cdn.sqhk.co/fesakesovoka/A0MZhb5/b._o._t._a._tarot_deck_for_sale.pdf
- https://cdn.sqhk.co/gusiloxi/ejageau/screen_recorder_with_system_sound_recording.pdf
- https://cdn.sqhk.co/xejudawadoni/qugclhc/xarutigoj.pdf
- https://cdn.sqhk.co/rabovafom/2hcXGxE/what_colors_go_good_with_red_and_gold.pdf
- https://cdn.sqhk.co/bofotabi/igArUhb/44524369172.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://6b21c484-99f8-4e97-b77a-b77c054bfe5d.filesusr.com/ugd/f139d4_0a9b829388ab4e3aab43be7d65b99d1a.pdf?index=true
- https://s3.amazonaws.com/wemupajese/free_templates_for_website_bootstrap.pdf
- https://uploads.strikinglycdn.com/files/34fa2862-bd16-4ca4-b42e-0de257a12c15/10943862819.pdf
- https://2080fafa-2491-4ac3-8118-a138f33bff34.filesusr.com/ugd/822ecd_5309ce517e884f179f3cf03a8c416bfe.pdf?index=true
- https://uploads.strikinglycdn.com/files/be8b009b-ec28-4173-9d79-07ae24d55dc9/how_to_find_angles_of_isosceles_triangle.pdf
- https://s3.amazonaws.com/pogolo/alchemy_classic_game_mod_apk.pdf
- https://s3.amazonaws.com/senodiw/jikotumifit.pdf
- https://uploads.strikinglycdn.com/files/ad698010-c5a6-4981-bb95-5a5bc8cea00d/nadirokitewulever.pdf
- https://s3.amazonaws.com/kozewuposoridil/lenovo_t430_weight_kg.pdf
- https://uploads.strikinglycdn.com/files/187eba98-ad62-4358-950f-1ddb9b081ff9/precision_sewing_machine_vintage.pdf
- https://uploads.strikinglycdn.com/files/dd28aab2-5af0-4ae1-917c-9c5dca4904bd/grocery_price_comparison_spreadsheet_template.pdf
- https://uploads.strikinglycdn.com/files/d1bab103-a227-4934-805f-9856384dd0ea/87876376562.pdf
- https://3794eb9c-cc8b-492c-aecc-44533f76aaa6.filesusr.com/ugd/1ee69b_38c14600b3a54a569ed8c0be6523b952.pdf?index=true
- https://uploads.strikinglycdn.com/files/f36f6a46-8e28-42a0-95a0-ff5a4546b257/87296514815.pdf
- https://c33c3ce4-fa2f-4f19-9477-7a801b41b29e.filesusr.com/ugd/ebbcbd_a1e890bb76a24a83ae17a6e1ef44af25.pdf?index=true
- https://uploads.strikinglycdn.com/files/94494bdc-af44-4f4f-9043-a16bac3ad102/30698273330.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ecdf.binb28f93423a56d8c88ba90bf2f0d8119c0ddd81f5ab633879923f4baa05fcd387 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECDF | 5372 bytes |
font_01_sfnt_off0000ff5e.bin51ebeec29509b87aa858d500e37ac8853184703d07d1f913ce36d8e1dc7764c0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFF5E | 1800 bytes |
font_02_sfnt_off000107ec.bin057bc4b96a52be90e8fa665b37a583abd8c9ae975ba77c7cbf7e54babdd43004 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x107EC | 11128 bytes |
font_03_sfnt_off00012df8.bin864fb798b0b4617589ddf1d76f404352b0cedc9e057578586dbff024744a9b66 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12DF8 | 16372 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.