MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which are SEO-themed and point to other PDF files, indicating a link farm or SEO poisoning attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or malware distribution. The presence of embedded URLs and the 'password-protected archive' lure further support this, suggesting the document is designed to trick users into downloading and potentially decrypting a malicious payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9979
Heuristics 7
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/strik?utm_term=math+kangaroo+2016+questions+and+answers+pdf
- http://productwood.ru/the_destruction_of_black_civilization_chapter_summariesrrwcg.pdf
- http://storeeuro.info/9985004505k7w0p.pdf
- http://domastmsk.space/nafazimifapuzepipunudm3tul.pdf
- http://fertpin.online/98916301458llfei.pdf
- http://all-system7.xyz/87660960554974yr.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://bdee3e82-1fe6-4084-b289-f15f5249f83e.filesusr.com/ugd/749937_17fb251273c74ff3bec24d8b696e89ea.pdf?index=true
- https://uploads.strikinglycdn.com/files/b38c3224-b256-4cbf-9ecd-bb2e75324c5e/sharp_clock_instructions.pdf
- https://692937ca-140d-46b9-9715-018e108c1018.filesusr.com/ugd/2540a5_6470024649ed4bec89e760f1d24eff4b.pdf?index=true
- https://9462281c-6212-45c1-8f90-c4e3c363a226.filesusr.com/ugd/007d40_994b785eb1154fef8cf7c85ee9ae90c9.pdf?index=true
- https://cb705b04-a904-4f11-a6d0-9d7e2b1ae5cb.filesusr.com/ugd/53498d_9450fa0bf697462dbe9592e2f463ffb4.pdf?index=true
- https://uploads.strikinglycdn.com/files/e77fd970-b3a4-480c-9b50-68f0f5c83a70/wivazogusikuwaxetalisolod.pdf
- https://uploads.strikinglycdn.com/files/3aa10268-9626-4500-8ac2-0014c7562c7b/vipiguturerulagajelujuten.pdf
- https://2bb9e989-9ce9-409f-aa8a-839f2ea8d3bf.filesusr.com/ugd/9f8cc2_3d55e855725f4eeb9df3949ef92bbc73.pdf?index=true
- https://5f98d79b-b704-4ecc-a618-200e52db7f79.filesusr.com/ugd/d1a5b7_59e60af6da0648fcaa36650494728573.pdf?index=true
- https://uploads.strikinglycdn.com/files/52a7a96d-21df-45e8-bfee-ff5e45bbf29c/sharp_eco_inverter_air_conditioner_manual.pdf
- https://uploads.strikinglycdn.com/files/f6f62cdf-39a6-4f54-8525-0647544fea03/brother_hl-2240d_driver.pdf
- https://uploads.strikinglycdn.com/files/e337df51-1d7a-4347-b464-4d61eb695875/mejilopilizokuna.pdf
- https://7fd92c66-d3af-485c-b7a9-31529ddfb1b5.filesusr.com/ugd/997d0f_4cdbfef0e8ea49ee9e8dbade76a63edd.pdf?index=true
- https://f4a80ce2-0a24-44e2-aff7-13c87a434ee9.filesusr.com/ugd/ace063_5649ad34baf242a09cb3633bb8463a06.pdf?index=true
- https://0879403c-3be5-48e4-925f-21334a7d5cfe.filesusr.com/ugd/407fcc_9000f72874e04cf39aae2ff311a1a63e.pdf?index=true
- https://f4b9ed98-44c1-44e6-9966-d9817cd43de7.filesusr.com/ugd/9ced5d_c406883c4f034ae392caf246a403111b.pdf?index=true
- https://uploads.strikinglycdn.com/files/2e5e5742-03c9-49f5-8a5e-c33b8a1f42f2/tcp_ip_ports.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001a338.bincfbedd05aceb943b0729ad354cb5ea05366246a18a56a5affcf0191a5c69ea8d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A338 | 5476 bytes |
font_01_sfnt_off0001b616.bin148302211fb779545320585b9b7c8407ba676dae6b2b22a9959a5ad7b4bd8f64 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B616 | 6036 bytes |
font_02_sfnt_off0001cab9.bincb80c5e2c37eef09ab95e6fc4af609065204264486c51991210b40210e682ba7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1CAB9 | 14936 bytes |
font_03_sfnt_off0001fa34.bin60f53b17f7925ac1818ac9336ea58fd206fea48872b5377b70e6fb8114080afd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1FA34 | 16132 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.