MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing operation. The document body, though heavily obfuscated, contains keywords related to job searches, likely a lure to direct users to malicious URLs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://lozipotod.ru/wix?keyword=cabot+library+jobs PDF link annotation
- http://hugertely.xyz/what_was_the_contemporary_civilization_of_mesopotamias2pb1.pdfIn PDF document text
- http://form-copyrightservices.com/kalekamupikututiwutepamonc18hx.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416675/normal_6014535ecede3.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4419437/normal_5fe54ea59eef4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4472495/normal_5feefe422db47.pdfIn PDF document text
- http://summ-ita.space/adobe_2019_crack_mac_redditw1sb6.pdfIn PDF document text
- http://remastacer.com/siren_head_story_game_robloxljix0.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://a84030a7-2e48-4039-807a-383e2b7216cc.filesusr.com/ugd/c5d40f_6d6a5b2571ce4e7aa7ee312fa96a4e94.pdf?index=trueIn PDF document text
- https://fb9345b8-40be-4608-a8ff-9c5427dba92f.filesusr.com/ugd/98d639_68e8b25a2dbf45238b45a45849f33cbe.pdf?index=trueIn PDF document text
- https://18b09f4e-de4d-4c1b-9fe6-be55c63b1c00.filesusr.com/ugd/cd81e9_a9801f20551b41f4a3312dfadd9fd36f.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/37defa4d-280a-43f9-a24b-63b2b6c0cbe6/kimutabe.pdfIn PDF document text
- https://ef2e072a-e8a2-4438-804d-cc750be2e2f6.filesusr.com/ugd/6a22cb_ac59e594a708440b936f2c2b2e26323c.pdf?index=trueIn PDF document text
- https://b6e49935-6d58-4bde-831f-6e0b746776d3.filesusr.com/ugd/7d321f_c8b1550ccf434b52af24722e2e027e90.pdf?index=trueIn PDF document text
- https://d427386d-3434-45d9-8802-370857a594f4.filesusr.com/ugd/accd1f_72f126ef22004f5fb531c4b945eb824f.pdf?index=trueIn PDF document text
- https://cf587a47-7c2f-4f55-8bbb-21a4c73503f7.filesusr.com/ugd/8ea597_17b14404cf4f4acfbf34e6bf67900f3b.pdf?index=trueIn PDF document text
- https://59cf682b-6680-4a08-8b8d-0472bab64ef7.filesusr.com/ugd/d7d6cd_65025a03dbf641e1bfd24eb83abb4f46.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/493a4afb-1607-4880-9725-28b782743799/how_to_eat_fried_worms_watch_online.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/53d0e7b0-65e2-4169-8f9b-a3d7ea8e7d6b/why_is_my_spectrum_remote_volume_not_working.pdfIn PDF document text
- https://f13dd0f9-fe0a-4257-a88d-d9af1a1cf0e3.filesusr.com/ugd/d954c5_862d338b3f7f4aafb03d9a41a93a2e7f.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dbb2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDBB2 | 4904 bytes |
SHA-256: 4af08662233c4c4640b3ccc7b55571be9ef6878a7a50546b21bbe78fb3696828 |
|||
font_01_sfnt_off0000ec71.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEC71 | 10580 bytes |
SHA-256: b83851285e91d55d865675f102431a90b03ba3685f7b5f2552052989182038ca |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.