MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. It contains a large number of external links, with at least one pointing to a suspicious domain (jumiwimov.ru), suggesting a phishing or redirection campaign. The presence of embedded URLs and the overall structure point towards a link farm designed to distribute further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/strik?utm_term=you+can%2527t+take+it+with+you+set+design PDF link annotation
- https://zageporipemaza.weebly.com/uploads/1/3/4/5/134507549/jisira.pdfIn PDF document text
- https://gegoviboz.weebly.com/uploads/1/3/4/8/134876631/kaxinikamoxexi.pdfIn PDF document text
- https://givetowa.weebly.com/uploads/1/3/1/4/131437183/ee9c78c5d6f0d.pdfIn PDF document text
- https://morinuzarisifuf.weebly.com/uploads/1/3/4/2/134234593/vexilumanovevef-vusilodibov-tukadogikuwo.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://2acf176d-1645-44e4-83be-c67f7ac9af6b.filesusr.com/ugd/e72dd6_9e2f7c211cba4595b48b46ec1dae3064.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/latufenaw/what_was_the_median_household_income_in_the_us_in_1980.pdfIn PDF document text
- https://da89e6ec-52f9-4c28-8de8-447a2e923c0c.filesusr.com/ugd/5e5b2a_b8b54b0ef8554eb2a5fdcef48be3d043.pdf?index=trueIn PDF document text
- https://9c12218e-e157-4070-b33f-4467b3cb42bb.filesusr.com/ugd/0c60a0_65304c8f680a4153b51d1186c40a95ac.pdf?index=trueIn PDF document text
- https://e301b21f-f707-426c-a094-6199d4b1a2d6.filesusr.com/ugd/f65518_837fe0e841a7460485e9a4f3028c3233.pdf?index=trueIn PDF document text
- https://f72b89be-0fa6-41ee-8162-331329ef78ce.filesusr.com/ugd/95089d_550e799423de4395aa3fd65762e3b032.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/selivuvumepaveb/autocad_2007_size.pdfIn PDF document text
- https://ff87c8b5-ca28-4ac0-94ba-218234037d87.filesusr.com/ugd/1d4e4f_351ee15c76c140f6ae68ef8cce1d15db.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/zafaronivaj/6791526786.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62cc6a15-90bb-4abd-aa68-95442f48237b/34449972277.pdfIn PDF document text
- https://a86b13d2-a9ad-4039-ad74-10d2f7332aba.filesusr.com/ugd/6e2451_2051c78080574d039c2b5a9bbc96fba8.pdf?index=trueIn PDF document text
- https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_ecfa846460de4642b19ce9bdb4fd19a0.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/bisute/bollywood_movies_2019_hd_saaho.pdfIn PDF document text
- https://679cd94f-bb1f-411a-9684-d99498fe93d6.filesusr.com/ugd/ce16d4_1d9398f54e2040a7bc0620766f66b7fb.pdf?index=trueIn PDF document text
- https://e05bdd54-7536-4db1-b7ed-110d7b12163e.filesusr.com/ugd/dd5a80_14436dd0a5044283b3262a195e5adcb2.pdf?index=trueIn PDF document text
- https://0d555108-1732-4721-8d72-76d747b2053a.filesusr.com/ugd/1b0481_cc714e3cb6404820a62c559802a7e871.pdf?index=trueIn PDF document text
- https://2703069b-a6ff-4ff9-983c-db139a8d76ba.filesusr.com/ugd/8b61cf_4c5e8b6e98e64bf4b4019a8fc087b92c.pdf?index=trueIn PDF document text
- https://b89c0965-50b5-483f-b67e-52f573158f4f.filesusr.com/ugd/1e222e_247cc16ea7f046a6904f9722a86019b6.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/jivuxo/duvefejedanate.pdfIn PDF document text
- https://19eae752-0dc2-40b2-988a-3ead9c543f91.filesusr.com/ugd/dee0a8_4d479faf38de4f269e9c8b731ce642af.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/e42f526a-9837-40af-bead-af51fd091f3c/bivafifafufebojapamux.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010176.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10176 | 5328 bytes |
SHA-256: ff0133a775d28df9f88ea757c1b69d5d24b86eaad1bbc60eb447ea55b6e5d70d |
|||
font_01_sfnt_off000113bd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x113BD | 11124 bytes |
SHA-256: c65202a699e865edd97e263bcc6e5e87e3add31d2923720b42fac76ad7abb6f3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.