MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains numerous embedded URLs, with one specifically pointing to a domain associated with phishing and malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect users to a site that serves malicious content or attempts to phish credentials. No scripts were extracted, but the PDF structure and URL heuristics are sufficient to infer a phishing or downloader attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/123?utm_term=maidstone+borough+council+planning+application+forms PDF link annotation
- http://gufurebu.medianewsonline.com/building_drawing_software_for_mac.pdfIn PDF document text
- http://carishr.com/fukiradakudapucukbm.pdfIn PDF document text
- http://keepxufi.space/how_much_does_it_cost_to_reupholster_a_recliner_uk80hsv.pdfIn PDF document text
- http://stixlife.info/gloomhaven_second_edition_rulesh7ikc.pdfIn PDF document text
- http://ladekepevij.mygamesonline.org/andrew_loomis_espaol_dibujo_de_cabeza_y_manos.pdfIn PDF document text
- http://gisoboxizaza.mygamesonline.org/lotus_caravans_for_sale_qld.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4471099/normal_6018c2e789036.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379626/normal_5ff759dbc8c99.pdfIn PDF document text
- http://alex-chekalev.com/icsh_hormone_full_forml27t9.pdfIn PDF document text
- http://ujjjrrrrr.space/gumewekivebubokupopis38vk.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://79d86aa2-23c4-4aa0-a0dc-c16ac59ae55d.filesusr.com/ugd/ecb701_596a4dca87b140d6b3567dd92fb11141.pdf?index=trueIn PDF document text
- http://xaguxebijop.epizy.com/sakenazir.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8106a8ec-b6eb-4d02-9e50-e0bbf2e8cc14/lugomozutemorivunis.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5474a1ab-e4de-4e41-b061-f1a08672be59/36906509321.pdfIn PDF document text
- https://70848fb0-0fd0-490a-9360-2ffa38fc212c.filesusr.com/ugd/08e331_8f808164346a47a5a1237c097a18b09f.pdf?index=trueIn PDF document text
- https://cceb078e-1df6-42b0-9e12-359f30e42f1d.filesusr.com/ugd/e8506d_2d40abeeb297463497de85d22dbf72a5.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/7187ba84-b55e-46be-9508-2ffbafe88931/atoms_and_molecules_worksheet_answers_bill_nye.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2ac17b64-a9d2-43ad-b8a0-a15b818b4067/kanupa.pdfIn PDF document text
- https://74269c25-1731-4359-90d4-804f54ef9c1c.filesusr.com/ugd/b5973a_9f34fbe2f39d4ac18412e67f0333af78.pdf?index=trueIn PDF document text
- http://luxupuxud.myartsonline.com/public_health_nutrition_cycle.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c0165d49-8a95-41da-8722-7a57ce3007a9/what_is_general_merchandise_at_kroger.pdfIn PDF document text
- http://wiroxidimov.rf.gd/napevima.pdfIn PDF document text
- http://mipitevana.epizy.com/dcra_biennial_report_fee.pdfIn PDF document text
- http://wokarodefi.onlinewebshop.net/how_to_clean_a_vintage_kenmore_sewing_machine.pdfIn PDF document text
- http://namavorudil.epizy.com/dailysocial_fintech_report_2019.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f2d8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF2D8 | 5716 bytes |
SHA-256: 7e20df065b401d1a5bdfbef0178282ed00431ddf4465be8754546df436b8963b |
|||
font_01_sfnt_off00010631.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10631 | 10988 bytes |
SHA-256: 6143ec87bf4a5ec601031f389bbaa50132eb1f16845c331e6dab1dea0884b237 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.