MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, many of which are part of a link farm or redirect to SEO-optimized content, indicating a malicious intent to deceive users. The primary lure, 'gardenscapes hack online without human verification,' suggests a phishing or scam attempt. The ML classifier and ClamAV detection strongly support the malicious nature of this PDF.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/wix?keyword=gardenscapes+hack+online+without+human+verification PDF link annotation
- http://zigejetulanoda.iblogger.org/omo_see_aunty_wey_mumu.pdfIn PDF document text
- http://dubiniba.iblogger.org/10874948299.pdfIn PDF document text
- http://hookup671.site/99036833454yua2b.pdfIn PDF document text
- http://walkover.me/karcher_pressure_washer_pump_oil_levelnrm5g.pdfIn PDF document text
- http://mebel-albero.ru/scanner_app_for_windows_10qdb73.pdfIn PDF document text
- http://demask.space/nusodotujrhzwg.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://s3.amazonaws.com/kukupunopedon/wurerorosagixevezusu.pdfIn PDF document text
- http://wuguwusilabibax.epizy.com/55840799175.pdfIn PDF document text
- https://aabf49e0-5477-4fd2-8456-a986ef8f2a87.filesusr.com/ugd/9e14ca_f807ec1823ad46a29e361c58d8eb8bd5.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/loranoduzuja/17986601333.pdfIn PDF document text
- https://4095172d-bd2f-4181-91d7-dd424e653400.filesusr.com/ugd/df73ab_90db78bdde464176a7d0a090b31e7038.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/runuzitexokol/natuduzegojobefovojo.pdfIn PDF document text
- http://wakurenup.epizy.com/35883151710.pdfIn PDF document text
- https://s3.amazonaws.com/sorapobuk/world_competitiveness_report_ranking.pdfIn PDF document text
- https://s3.amazonaws.com/tixeligufokup/cisco_switch_sg350x_datasheet.pdfIn PDF document text
- https://s3.amazonaws.com/jinabom/fire_reports_near_me_today.pdfIn PDF document text
- http://tosowepexinuf.epizy.com/kobe_earthquake_news_report.pdfIn PDF document text
- http://numekup.epizy.com/abominable_full_hd_movie.pdfIn PDF document text
- https://s3.amazonaws.com/vebisop/99661336534.pdfIn PDF document text
- https://dd3528e8-ded0-4753-843e-0d3cb9f542e7.filesusr.com/ugd/4d6844_b98d65d6d3df43f38da27ede9fa2725d.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d06c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD06C | 5524 bytes |
SHA-256: 9c4adcdd427707e8edd0650ad6bacba54437df3d711e1775bbd95ffd29f6345f |
|||
font_01_sfnt_off0000e322.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE322 | 10172 bytes |
SHA-256: 9dffe29c39ba8ace3d2958d72610cab56c213f75b61fb4652ed3cbec8477cef5 |
|||
font_02_sfnt_off000105f1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105F1 | 4324 bytes |
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.