MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/123?utm_term=cbt+nuggets+ccna+study+guide PDF link annotation
- http://faceit.su/coleman_powermate_6250_generator_oil_capacity70751.pdfIn PDF document text
- http://neriwor.medianewsonline.com/49502631020.pdfIn PDF document text
- http://normaa-id.com/cause_effect_reading_and_vocabulary_development_book_3l5p22.pdfIn PDF document text
- http://vulgargirls.fun/angry_birds_2_movie_hd_1080p1e0x9.pdfIn PDF document text
- http://forpost-electrica.ru/1907241090440sbx.pdfIn PDF document text
- http://klosheff.xyz/homestead_act_of_1862_worksheet_answbet24.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/8c5b16e4-c2df-4f5d-87f3-6d084eea2f63/can_i_drive_to_work_with_my_permit_in_california.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a1467e87-03bf-4ced-bfb1-045d42cc05df/67536853297.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/39782964-872b-4101-b2b2-c988b8c02e31/tibumu.pdfIn PDF document text
- http://jitawidavez.atwebpages.com/what_army_regulation_covers_nco_duties_and_responsibilities.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a1f84ad8-89bc-471d-925b-523fb42092fc/tojerife.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bf8e584b-6c04-43ee-a8b4-38cf29563973/is_burger_king_open_in_uk.pdfIn PDF document text
- https://a529afa0-707c-494d-9cee-e9df2360aa12.filesusr.com/ugd/a6e48a_7da273572d8947d8aa8030c8906ade9e.pdf?index=trueIn PDF document text
- https://6e229dea-1f83-4be8-8cd3-388eabd4f5e3.filesusr.com/ugd/1cfe37_91cc51c854b24f51a8d40c30f29b6680.pdf?index=trueIn PDF document text
- https://21a67f6d-2aea-439f-a910-ed4feb6be009.filesusr.com/ugd/173616_6f4faf46549c48e6bc5db9334dfcc0d0.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/576054e1-007d-49b0-a98e-2c43d3fcb933/aircraft_structures_for_engineering_students_6th_edition_solution_manual.pdfIn PDF document text
- http://rukosivujuxu.atwebpages.com/personal_branding_adalah.pdfIn PDF document text
- https://cb0920a4-0dfc-4587-8161-bd3bf883b043.filesusr.com/ugd/df391a_cbe5025424b242028749e57b14ba7c9b.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c304b788-4d81-45db-adef-b06c2c5226b8/the_christian_atheist_bible_study.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b2c9fd6a-97f2-4d48-bedc-f546e6502c28/how_many_harry_potter_prequels_are_there.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/34d0b0fa-0f9a-4186-8b1f-2dff6a943bfc/tafazelozubixosafaliv.pdfIn PDF document text
- https://729282ec-1290-4cbc-9302-cf8a24acd4c7.filesusr.com/ugd/42c189_8befc111d47940dcbf64ab754883940a.pdf?index=trueIn PDF document text
- http://binuwuzipu.myartsonline.com/beard_oil_recipe.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001107b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1107B | 5128 bytes |
SHA-256: 103f2abc5a1fbc11b1ae2deffa1380246f136ab01f3890c4a5d6284a76b5febd |
|||
font_01_sfnt_off00012205.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12205 | 11672 bytes |
SHA-256: 4a7b7bb5d7906c90ef49c06eb55f181ba64256f0ab1c287050c37eefd3370484 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.