MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a phishing or trojan-like behavior. It contains numerous embedded URLs, with one prominent link pointing to 'bologen.ru', which is likely a malicious domain used for redirection. The document body, though heavily obfuscated, contains keywords related to 'norcold rv refrigerator circuit board', suggesting a lure to attract victims interested in such components.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bologen.ru/strik?utm_term=norcold+rv+refrigerator+circuit+board PDF link annotation
- http://probkin34.xyz/how_to_start_honda_3000_generatorb3q1t.pdfIn PDF document text
- http://insurancesouk.com/dr_morepen_glucometer_manualxfa2j.pdfIn PDF document text
- http://digitaltoolsfor.xyz/femakinemitexw8f7q.pdfIn PDF document text
- http://filfex.ru/sony_str-k7000_remotefs7mq.pdfIn PDF document text
- http://ionatr.space/bisopepusoxuferaxonelukip5wm.pdfIn PDF document text
- http://kellys.space/singing_for_the_stars_espaolwxglb.pdfIn PDF document text
- http://myirn.icu/divinity_original_sin_2_lame_des_ombres0aw65.pdfIn PDF document text
- http://lnstagram-helping.live/mitsubishi_mr._slim_maintenance_manual2vbsk.pdfIn PDF document text
- http://tells.fun/tetukafekafipotutpxr2r.pdfIn PDF document text
- http://shtangennstutkupitseychas.xyz/html_and_css_design_and_build_websites_2nd_editiondik5i.pdfIn PDF document text
- http://raisinsapp.club/213840840990tm9u.pdfIn PDF document text
- http://amandeepsadyora.com/adobe_photoshop_classroom_in_a_bookud42t.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://aa5f33e9-793b-4807-a257-9eac84d314d0.filesusr.com/ugd/aa57b2_759aa5ae5cff48348c118c718b1e555f.pdf?index=trueIn PDF document text
- https://9e2b3e3a-6a02-4d3b-8ba9-5acc01041672.filesusr.com/ugd/66c878_29bf9355199a415ba66e1087e9c32811.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/zemunomipazikez/fexosixolufumuwalox.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/15a7c716-f078-4d3c-bc00-cdde1be9c98c/pokemon_adventure_red_manga_download.pdfIn PDF document text
- https://144ece88-722e-4d59-a9d1-ae16887514c2.filesusr.com/ugd/48b17f_86795f49074d4aa68db358c6e58e10d6.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/gateme/41611297170.pdfIn PDF document text
- https://234d5d8d-19c9-4cab-a884-dd0775662658.filesusr.com/ugd/fb7225_0f3d6b3025d34d67b18de9e23299ea1e.pdf?index=trueIn PDF document text
- https://377d1c6c-8747-407e-9a0d-bb8234813250.filesusr.com/ugd/f0b1fd_5552f965c2744530abf559db0f68426f.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f5f1400b-feb6-48ee-9fc2-c0243e0dca4b/how_to_say_no_to_a_man_without_hurting_him.pdfIn PDF document text
- https://s3.amazonaws.com/xapijifas/73489158822.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e03966d4-50fa-4d3a-acf7-f91c0983705a/python_video_game_learning.pdfIn PDF document text
- https://s3.amazonaws.com/lolijexejomak/blank_march_2019_calendar_template.pdfIn PDF document text
- https://s3.amazonaws.com/fidefofudi/how_to_fix_total_gym_xls.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013164.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13164 | 5180 bytes |
SHA-256: b7edd3fddd0a71c3f2b5a1a706b5c633389a3a8e9a09cd62e9554cb173a0ec6c |
|||
font_01_sfnt_off00014321.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14321 | 11224 bytes |
SHA-256: 6aa7adf1d7528ff8f0f28ae7dbc8b359439f7ef77deb9662a8350e8dbcbf4c42 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.