MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses an urgency-based lure. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/strik?utm_term=ddp+yoga+intermediate+workout+schedule PDF link annotation
- https://vafoxerosasajox.weebly.com/uploads/1/3/5/3/135398531/e7bd3.pdfIn PDF document text
- https://puxajibixitukus.weebly.com/uploads/1/3/4/4/134457664/xexiwemip_nadoxupapu_xogaf.pdfIn PDF document text
- https://danegatazi.weebly.com/uploads/1/3/0/7/130776269/pofaginawi-nuxutu-jigototatafo.pdfIn PDF document text
- http://www.opentle.orgIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://b2fc43c4-60ab-4dc1-a1c8-84833fda4e2a.filesusr.com/ugd/37321e_a02bacffa6ed4687898afa11cad976ee.pdf?index=trueIn PDF document text
- https://712e085e-8422-4094-ae2e-709d430f1fc9.filesusr.com/ugd/bf8edb_b95196e3591541a5b505156c3d476121.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tarajix/79483788394.pdfIn PDF document text
- https://s3.amazonaws.com/mizeteb/16673575159.pdfIn PDF document text
- https://s3.amazonaws.com/nefomojuwet/how_big_was_the_enron_scandal.pdfIn PDF document text
- https://dedb376b-efc3-4528-ac10-fc65d12f866c.filesusr.com/ugd/5f6074_4459224567854e0c9e8c2fb19c5eb66e.pdf?index=trueIn PDF document text
- https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_84665c9a4ed04244a3e564595dbec787.pdf?index=trueIn PDF document text
- https://e216d865-ddc7-438b-99b2-64609380b1bb.filesusr.com/ugd/7ae8b3_67bc18228713487d8b3d1cdd8a8fd10b.pdf?index=trueIn PDF document text
- https://36fde204-cda4-4268-899b-58717f9005d0.filesusr.com/ugd/b13063_fdccd6ea53474d08a82c7333f1ad20b3.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/latufenaw/19242153888.pdfIn PDF document text
- https://571cbd0a-ba82-408d-be6d-2df53a8fcfe5.filesusr.com/ugd/02af14_e24aa101f60447b1946fbc421b004f38.pdf?index=trueIn PDF document text
- https://1a899ca6-11bf-4464-971e-4bf0b885e765.filesusr.com/ugd/4ac3ff_6e1a2b730df5415abb59b1e0eb28849c.pdf?index=trueIn PDF document text
- https://849bdae7-2456-4570-9e2a-fc769e7e49ad.filesusr.com/ugd/2074c9_fe44b10fa88f4a20b5ac0ffaf8642707.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tolivajupeku/how_to_run_a_portable_dishwasher.pdfIn PDF document text
- https://f27bca7f-571c-471d-9e77-92385e6dfcd0.filesusr.com/ugd/9a0fa1_41ae349e06a24bb3b4afc585ea0b3aa2.pdf?index=trueIn PDF document text
- https://8dfd47f4-e591-4377-92a3-bdbf91d41e5a.filesusr.com/ugd/a58b01_7f6dd4bde4aa4e5192db4a90ec850259.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/gazivemon/xanijozusiruzixidex.pdfIn PDF document text
- https://s3.amazonaws.com/xofalepelala/add_ons_chrome.pdfIn PDF document text
- https://5a8aee2d-3d68-4c09-98ed-743c9c56d6fd.filesusr.com/ugd/460efe_19a42205692d453b88cda2bb90101102.pdf?index=trueIn PDF document text
- https://044e8d80-c429-4a1f-820d-9b443c65b389.filesusr.com/ugd/53c654_3eedc45a13c54dbabf91ec5621577cdd.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_003_off00011273.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x11273 | 9140 bytes |
SHA-256: ea10d98dae27a8f05ff929d893101d8eb32e64157a48384ffab04d2190eeed1f |
|||
font_00_sfnt_off0000fef0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFEF0 | 5744 bytes |
SHA-256: f774829876afe915828a005baff2527a5f91945b1317a18137d2569dda337f75 |
|||
font_02_sfnt_off00012c49.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12C49 | 11296 bytes |
SHA-256: 7c73c9fc943fd8a7471992ab5229aebf3f02aad4fe96ee9715e7f7a55445b7f3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.