MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing lure. The document contains numerous links, including a prominent one to 'mezovuduw.ru', which is likely intended to lead the user to a malicious site for downloading malware, disguised as a software crack. No scripts were extracted, but the PDF structure and embedded URLs strongly suggest a phishing campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/strik?utm_term=vinylmaster+pro+4+crack PDF link annotation
- https://cdn-cms.f-static.net/uploads/4449766/normal_6016c50ee9a36.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4368788/normal_5fdedee7acdf2.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4483867/normal_5ff1b8761636b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415292/normal_600a6d8e644cc.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4471958/normal_602c7754e7fe6.pdfIn PDF document text
- http://zozexijogukemep.iblogger.org/got_risk_rules.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4455207/normal_602c951e26a3a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417406/normal_6058b4e1b323f.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/7596624d-1a9a-4683-9694-a3659e351bfb/diary_of_a_wimpy_kid_the_meltdown_free_download_online.pdfIn PDF document text
- https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_dda6cfff26fd4873857f43b05f48a8e1.pdf?index=trueIn PDF document text
- http://jimomug.rf.gd/35877779488.pdfIn PDF document text
- https://6f12065f-c45d-410c-b048-6ec23fb2b810.filesusr.com/ugd/02ccf7_92ea91674a404eac83609c3243f428bc.pdf?index=trueIn PDF document text
- https://2e8e3215-33bf-4fe1-bc67-b38dac560527.filesusr.com/ugd/269bb8_e3f209c02ca34317b9eb0719fe712277.pdf?index=trueIn PDF document text
- https://33c7e2ec-32fc-4676-a642-9d95a4379e01.filesusr.com/ugd/622218_7a020829d42b4b6596f5fb91d0216031.pdf?index=trueIn PDF document text
- https://8c17aa34-c454-4d6c-a218-8929c845e329.filesusr.com/ugd/808cd0_02f698595a124f71b031490ffbd7b226.pdf?index=trueIn PDF document text
- http://zomekijisev.rf.gd/jorge_amado_capites_da_areia.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c9397efd-2909-4420-873f-7c8568b4f0aa/69038497652.pdfIn PDF document text
- https://5563968e-3cf5-463b-8312-7915ab8a4794.filesusr.com/ugd/cd90d1_133b32d1bbe04979b10bc7cc5c94a392.pdf?index=trueIn PDF document text
- https://b9b086bb-db5c-4c47-b99c-4ca3d8c772c1.filesusr.com/ugd/c090b7_ac613c5ded694b4fa8fc0b01218894fb.pdf?index=trueIn PDF document text
- https://5c817321-7c0c-448b-959d-deb1da9fd788.filesusr.com/ugd/19103d_4953a8b6824d459b8dfd136df52aba71.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e2d4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE2D4 | 5088 bytes |
SHA-256: b010a6f88c25605ffa55c9d885028b57086613bec156fad505703e34da60457e |
|||
font_01_sfnt_off0000f405.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF405 | 12752 bytes |
SHA-256: 71082babd1c8f35230561b890d66c723680b8d534bd6b3d07a91c4700acdf826 |
|||
font_02_sfnt_off00011d5c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11D5C | 16708 bytes |
SHA-256: 00c047e37a1cb755796d9fac12a19b2e9e72dca29abcd95969714fc9c424648b |
|||
font_03_sfnt_off0001343b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1343B | 4324 bytes |
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.