MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF file contains numerous external links, with a critical heuristic identifying it as a PDF SEO link farm. The primary malicious URL, 'https://zajinet.ru/wix?keyword=danielson+domain+3e', is flagged as a redirector for free-download phishing. ClamAV also detected the file as 'Pdf.Phishing.Trojan-d2568dad23a94d95-10044375-0', indicating a known malicious pattern. The ML classifier strongly supports the malicious verdict.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/wix?keyword=danielson+domain+3e PDF link annotation
- https://cdn-cms.f-static.net/uploads/4387932/normal_600ffc7f1133e.pdfIn PDF document text
- https://kivojiwivumupu.weebly.com/uploads/1/3/4/5/134597008/7154946.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4477864/normal_6029882e891e9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464715/normal_604a4c49a5646.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366011/normal_6012df643f16c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4387933/normal_603804581f78d.pdfIn PDF document text
- https://mopebewugo.weebly.com/uploads/1/3/0/7/130776026/fd62c54ec7a02b9.pdfIn PDF document text
- https://gefererasixo.weebly.com/uploads/1/3/4/7/134749514/lagon.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/memexelu/pobuta.pdfIn PDF document text
- https://s3.amazonaws.com/paxuvagal/jasijer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/461b748d-5251-40e6-8ea5-f18c3c4c2d19/wuzigolewe.pdfIn PDF document text
- https://d3826037-6016-486c-99e9-dc41bc666644.filesusr.com/ugd/b81754_2708ec61d155453bbf366f40b64b4d37.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c3fdcb3f-c0cc-49d5-9f1b-b923e6b76bc0/valibaloregajebi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0d761b09-ad09-4310-8da5-1a8b2b6c6d24/doxaliwoliref.pdfIn PDF document text
- https://1ffb5d6c-d890-49e0-9b87-dc10fbfa49e2.filesusr.com/ugd/8bc2a6_d193354adb954fe6a4e31ede8f991cd4.pdf?index=trueIn PDF document text
- https://1ffb5d6c-d890-49e0-9b87-dc10fbfa49e2.filesusr.com/ugd/8bc2a6_14425f5ba22d4be1b17ca48703cda239.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/rirusozo/xurax.pdfIn PDF document text
- https://5f98d79b-b704-4ecc-a618-200e52db7f79.filesusr.com/ugd/d1a5b7_9633e558855a41d1a51378f86e4736b5.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/8d540f8d-8fb7-4f17-8496-4d109df1d172/63422171190.pdfIn PDF document text
- https://s3.amazonaws.com/gekixadonuru/83269208029.pdfIn PDF document text
- https://s3.amazonaws.com/purixifusipelid/absolute_c_4th_edition.pdfIn PDF document text
- https://s3.amazonaws.com/vavabi/full_platform_bed_with_drawers_plans.pdfIn PDF document text
- https://s3.amazonaws.com/musokejixami/katusuzuteduve.pdfIn PDF document text
- https://04650017-3ca5-4b28-9d9b-11da2816551d.filesusr.com/ugd/aa03de_e65289b9643640669ddb352caba49bd9.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ddfb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDDFB | 5040 bytes |
SHA-256: d1328d4e44160a551d844c58333ddfbab5eedee8e2f3f9026b7be8ee081a4a52 |
|||
font_01_sfnt_off0000ef11.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEF11 | 10320 bytes |
SHA-256: 02f4fb6c03a3dddb6c9d728742e68811b3a49a66236352706f9970b46d85c1bf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.