MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/strik?utm_term=icewind+dale+2+enhanced+edition+walkthrough PDF link annotation
- http://islta.fun/bagowudalijisugexr7kaj.pdfIn PDF document text
- http://waxinexedodupij.22web.org/kowesenemovogixowebebasi.pdfIn PDF document text
- http://zipekapivan.22web.org/software_quality_assurance_training.pdfIn PDF document text
- http://gmetry.online/910552675277f5ft.pdfIn PDF document text
- http://bella24.xyz/93757399674l8aul.pdfIn PDF document text
- http://probnik1313.tech/cid_film_all_songmwyrv.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://95043331-d9de-4498-ad98-35b8ac3ee23f.filesusr.com/ugd/5740b2_906a4663173f46cda15a72efd14cbbe6.pdf?index=trueIn PDF document text
- https://95a83a18-022f-4aa5-9dc2-588eac4c5c4a.filesusr.com/ugd/ccb6ab_be421c25138b4efdb34ab68f7ce61c75.pdf?index=trueIn PDF document text
- http://tugitoxo.epizy.com/nivozujiv.pdfIn PDF document text
- https://ff5d1526-1eb9-447d-8915-67ca9933f1b4.filesusr.com/ugd/9565fd_6d192286bc3d4624a499503e11861660.pdf?index=trueIn PDF document text
- https://b3d988c2-7a7d-4c3c-9141-221b6550481e.filesusr.com/ugd/9dda13_98f265d860b14bce87ebd9b58665aa91.pdf?index=trueIn PDF document text
- https://dc58184e-bbba-402a-8e08-a55d552c8f3f.filesusr.com/ugd/0ebc1f_b9b91ee5f87d405d815d8ad803f359f1.pdf?index=trueIn PDF document text
- https://67dbe094-6b68-4a2c-870f-9bd980043d88.filesusr.com/ugd/cff74a_96e3c52c7cd745f0b062695797cc1a5a.pdf?index=trueIn PDF document text
- https://ac3db616-04cb-40f1-8357-c67041f5e20c.filesusr.com/ugd/eda9ba_51ec1009bd3e4fd3b4adf654db92360b.pdf?index=trueIn PDF document text
- https://fa53e508-d88d-41cb-897c-7a5b6f1bfcc3.filesusr.com/ugd/361045_52ad03c2e0984c78861ee7477b67e61e.pdf?index=trueIn PDF document text
- http://siriwupesi.epizy.com/csd_canteen_liquor_price_list_2020_in_delhi.pdfIn PDF document text
- http://gojopowijevefon.epizy.com/income_tax_budget_2020_19.pdfIn PDF document text
- https://s3.amazonaws.com/nisiwanolom/12192225805.pdfIn PDF document text
- https://s3.amazonaws.com/senodiw/arcgis_desktop_student.pdfIn PDF document text
- https://9d50af6f-dbf7-41ba-b854-83985329a12b.filesusr.com/ugd/33c377_38a04b21641e4ed1935ee549a7fdecde.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/luropiw/56813347822.pdfIn PDF document text
- https://67dbe094-6b68-4a2c-870f-9bd980043d88.filesusr.com/ugd/cff74a_5839d1b39f3143f5b5d92560ce77553b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/janodojivi/beaver_builder_header_templates.pdfIn PDF document text
- https://994180ce-385f-4272-9833-4a204a825e0f.filesusr.com/ugd/ec0c41_c7cde3a38667452ebbe9d3024e5ce524.pdf?index=trueIn PDF document text
- https://cc968bdf-8a18-4a65-a72d-893c706ef441.filesusr.com/ugd/bae363_a829fb2664634e8bb5e03175870258fe.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ec93.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEC93 | 5248 bytes |
SHA-256: e8577c9e26f21dd3facf25955b0121c7a7596ca2672e88a4940c23c0a50c3be3 |
|||
font_01_sfnt_off0000fe7c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE7C | 11008 bytes |
SHA-256: a46169ea0ae50ebe39f55780458a63e8491a0eb6f54b5b00b11986091e25db52 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.