MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating maliciousness. It contains a high number of embedded URLs, many pointing to disposable hosting, suggesting a link farm designed to redirect users to potentially malicious sites. The presence of 'utm_term' parameters in some URLs indicates a phishing or scam attempt, likely to harvest credentials or distribute further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/strik?utm_term=canon+printer+mg2120+error+codes PDF link annotation
- https://cdn.sqhk.co/vonewesipan/heiib0g/tixoruzetewaresod.pdfIn PDF document text
- http://beririka.scienceontheweb.net/zalugutugiwizasameju.pdfIn PDF document text
- http://waferaboteb.mypressonline.com/sewulidujiv.pdfIn PDF document text
- https://cdn.sqhk.co/penavagalo/6ifCfjF/cafe_racer_seats_for_sale_south_africa.pdfIn PDF document text
- http://wunuvuzixuxi.getenjoyment.net/gunadezolizomedukopu.pdfIn PDF document text
- http://pukebebizadolu.mypressonline.com/dan_brown_angels_and_demons_series_order.pdfIn PDF document text
- http://vudasuti.mygamesonline.org/is_it_ok_to_change_your_mind.pdfIn PDF document text
- http://zuzatew.medianewsonline.com/73064689184.pdfIn PDF document text
- https://cdn.sqhk.co/jovowosifo/gejgqhc/doniwutoxi.pdfIn PDF document text
- http://paxezot.getenjoyment.net/faxegitujora.pdfIn PDF document text
- https://cdn.sqhk.co/dukoredod/hwjjotJ/outdoor_movie_night_food_ideas.pdfIn PDF document text
- http://vadosixajobirug.mygamesonline.org/55601865400.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- http://fekejuw.atwebpages.com/binomial_probability_distribution_solved_examples.pdfIn PDF document text
- https://s3.amazonaws.com/davolazupivowi/beats_2_wireless_headphones_manual.pdfIn PDF document text
- http://xomapagovujux.atwebpages.com/1st_grade_printable_worksheet.pdfIn PDF document text
- https://s3.amazonaws.com/fuwawibu/balanced_food_plate_template.pdfIn PDF document text
- https://s3.amazonaws.com/jolituzoji/xomemonunitunejavomizo.pdfIn PDF document text
- https://s3.amazonaws.com/sukobogixe/43749474571.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50cfd417-6f10-4cfa-b587-26c1bee119be/impact_of_globalization_on_communication_slogan.pdfIn PDF document text
- http://zevesijuduma.atwebpages.com/17682831422.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1c0c92bb-94c1-4752-9aa5-0c820669e62e/90058485192.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000da1f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDA1F | 5496 bytes |
SHA-256: 581c7ef2e4f053487052a65571ab475c817857beb32763c0e91bdbe08e3c4f8d |
|||
font_01_sfnt_off0000ecbf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECBF | 10760 bytes |
SHA-256: 3f4149b2a16cb9c2fc6402d9799d81543b5eae8690a1c33f0cc5a786ff2ac4fb |
|||
font_02_sfnt_off0001119f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1119F | 4324 bytes |
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.