MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document functions as a link farm, containing numerous external URLs, with several pointing to disposable hosting or redirectors, suggesting an attempt to distribute phishing content or malware. The presence of a 'cyberpowerpc not powering on' search term in one URL hints at a potential lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9961
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/strik?utm_term=cyberpowerpc+not+powering+on PDF link annotation
- https://cdn.sqhk.co/wakewafo/hdgejdy/prodigy_math_game_level_hack.pdfIn PDF document text
- https://cdn.sqhk.co/xibetevoxaj/cTZhcjb/space_run_galaxy_best_ship.pdfIn PDF document text
- http://xasekijig.mypressonline.com/89868167408.pdfIn PDF document text
- https://dibalinelig.weebly.com/uploads/1/3/1/3/131380687/pezizi_zapidojuteje.pdfIn PDF document text
- https://cdn.sqhk.co/jupumezu/jigkigY/fall_out_boy_immortals_piano_sheet_music.pdfIn PDF document text
- https://cdn.sqhk.co/fipimomozuk/OWijieG/zadirovuxizabobabe.pdfIn PDF document text
- https://korisupugi.weebly.com/uploads/1/3/5/3/135308649/garalugefuberilipasi.pdfIn PDF document text
- http://chunyoo.com/manualidades_con_papel_silueta_para_niosm3w0o.pdfIn PDF document text
- https://debozapo.weebly.com/uploads/1/3/1/1/131164198/wanozuj.pdfIn PDF document text
- https://vekerarefatada.weebly.com/uploads/1/3/4/8/134868636/nenuzagefaj.pdfIn PDF document text
- https://cdn.sqhk.co/daxerarugak/jjcU2Lf/nexutotabekarofifogobox.pdfIn PDF document text
- http://swiss-gear.store/ap_biology_2016_multiple_choicevnifx.pdfIn PDF document text
- http://kokulotasuz.mygamesonline.org/benedetti_poemas_de_amor.pdfIn PDF document text
- http://gepavozo.mygamesonline.org/biological_materials_science.pdfIn PDF document text
- https://nevozijefase.weebly.com/uploads/1/3/4/7/134748823/kodikevetomu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/014cbc40-763c-4658-842d-c992685b6c7b/john_deere_l110_automatic_deck_belt_diagram.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62b1c59a-5748-4791-8757-5c48d0051a7b/crossfit_workout_gear_australia.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fe2e08a1-add7-45c1-b5db-09e9cbef1f60/karamozigopomoroj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a060b207-56b5-4c2b-b69b-b46f1d0d8cd3/what_is_the_point_of_waste_recycling_business.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0a91c0cd-72e6-4e3c-a957-de007c372982/cuntas_caloras_debe_consumir_una_persona_al_da.pdfIn PDF document text
- http://tirisesu.onlinewebshop.net/assertiveness_in_nursing.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bb306bd5-75dd-45e3-9a38-33ec06a4cb74/death_note_ryuk_quotes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ef3f7f9b-8950-4c4c-827a-a07fd366bb88/mejowibetozi.pdfIn PDF document text
- http://nogafojomor.onlinewebshop.net/functions_in_sql_server.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c4000895-7efc-4b84-bae2-4c31bae8c5ea/percy_jackson_and_the_titans_curse_chapter_1.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/be2c014c-f00b-4cc5-813f-01e2bd2b78f5/ralupabazetirusowar.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011bbe.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11BBE | 4920 bytes |
SHA-256: 8f3d3d9138b165873760249a7d5d7ed7bab6026f0d68a3ced8a0f50ae0517ac0 |
|||
font_01_sfnt_off00012ca8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12CA8 | 11392 bytes |
SHA-256: a8bbce6e0ad77c1c5c4fe545f16dd4e4fbff11b62b085aaf37511bcd141456da |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.