MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/strik?utm_term=the+history+of+love+movie+download PDF link annotation
- http://tegisuro.22web.org/completely_randomized_design.pdfIn PDF document text
- http://itanto.space/47812592009dkdcy.pdfIn PDF document text
- http://mabay.fun/free_video_editor_20195xuct.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/remavuj/anastasia_broadway_bootleg.pdfIn PDF document text
- https://s3.amazonaws.com/jaloto/berklee_performance_center_twitter.pdfIn PDF document text
- https://s3.amazonaws.com/gosete/430628230.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6c0046f7-d307-4dc0-8ff0-da5cef283a3a/lonar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9e020304-ff19-4bf9-b335-6d16012303f7/strategies_for_creative_problem_solving_3rd_edition_download.pdfIn PDF document text
- http://bulofowomogi.epizy.com/fifty_shades_of_gray_book_quotes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/04167b2b-1f8b-49ee-b32d-465b2e3231e2/57574969021.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eb181c34-e9f8-4ce9-8593-56f1ca4a1439/the_count_of_monte_cristo_full_movie_online_with_english_subtitles.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28727c24-5aab-4f5e-8d2b-d377d30350c9/addie_model_analysis_phase_template.pdfIn PDF document text
- http://vawexamu.epizy.com/deromonaxiniv.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/033d094b-5ba3-4ef8-95b8-39f54d3bb2d9/famalisajubikaxinad.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f01c5380-48d0-42d8-ad36-41842a31793b/sexogitebikoderuropuvo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5fb05320-f9fc-446e-a42e-17abd0ad9b9b/liwunenunipedur.pdfIn PDF document text
- http://dojeranorered.epizy.com/sunbeam_fairy_floss_maker_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5c112b54-db51-4027-9fa1-1e72db10b389/31902164932.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f5baad89-9679-4dfa-8d2b-e7ac0a757d44/multiplication_chart_30x30.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4ff2aa30-8b25-46d3-aaca-7c26f1d6a647/kung_fu_panda_2_full_movie_in_hindi_youtube.pdfIn PDF document text
- http://zapurokorilagar.rf.gd/5568294291.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a3ae8d91-01fd-4530-9bfd-8c0b5244c121/47936677225.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8d3c638b-d2f0-4b14-acd4-82c43846a507/how_to_open_bushnell_tour_v3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d7fcd81a-a665-49a0-b78e-934babe67f0e/sevawavadewusenix.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f07e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF07E | 5348 bytes |
SHA-256: 3fde95c44b3064081dac5bdef7df060383cb0c8e787976053b19f25337ea8a38 |
|||
font_01_sfnt_off0001029c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1029C | 10380 bytes |
SHA-256: dd02e71e9219bdc29b4e87c67d3d64f6076eb746f1c576aca16719ee5ad00592 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.