MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://lozipotod.ru/strik?utm_term=how+to+turn+off+jlab+air+executive+earbuds PDF link annotation
- https://static.s123-cdn-static.com/uploads/4380525/normal_5ffb4aad34082.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380882/normal_606e632ea0973.pdfIn PDF document text
- https://sivitudogadix.weebly.com/uploads/1/3/4/1/134108631/rejigix-zajezemixe.pdfIn PDF document text
- https://lolutisoxat.weebly.com/uploads/1/3/4/3/134315909/kogotegufojaxetugosa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4500883/normal_5fe6b2d0079e3.pdfIn PDF document text
- https://dubonizu.weebly.com/uploads/1/3/1/6/131606556/ninexorak_vukanujabu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/mogipegi/can_i_take_the_fe_exam_in_a_different_state.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b4f641c-4ed2-49d4-b90e-7edb2d3ac1d1/borafowofexiretibure.pdfIn PDF document text
- https://s3.amazonaws.com/tufitijinexu/logitech_k400_treiber_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d5f722d4-9666-4ca2-aed7-c4e5ff8d0715/how_do_you_change_the_battery_in_a_timex_ironman_triathlon_watch.pdfIn PDF document text
- https://s3.amazonaws.com/fukezavazuj/weber_kettle_cookbook_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9f0cacb7-05ff-4a27-a879-18be71bd3b7a/what_does_ralph_mean_in_the_bible.pdfIn PDF document text
- https://s3.amazonaws.com/rimejiguvif/resident_evil_4_mobile_mod_apk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/71f53434-f500-40c8-9637-e4dfd11409de/ford_mustang_for_sale_dayton_ohio.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01b6d764-4585-43c2-8308-03a65635c445/convert_500_lb_ft3_to_kn_m3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3602114e-43f5-4215-83c4-92afa5ebb22e/baby_gap_toddler_girl_coat.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/da264d22-9e66-49f3-b717-dcf46240fd1b/gudoki.pdfIn PDF document text
- https://s3.amazonaws.com/gagotaniwipure/soccer_workout_program.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b64dbbf7-0b5c-49be-95a6-8977f24c0d6d/64339612095.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2138a0c4-ba1d-4529-972b-4e5cb54e0d19/how_to_set_intermatic_digital_pool_timer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/34f270fa-c720-437c-98b6-3f68a38d818b/niboda.pdfIn PDF document text
- https://s3.amazonaws.com/mokixetat/bielsko_biaa_szpital_wojewdzki_informacje.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e49a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE49A | 5412 bytes |
SHA-256: 5d06041b7b77bc3cc1727bd140414c3c315413d3aba4c14a1af70726d346efa8 |
|||
font_01_sfnt_off0000f726.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF726 | 11544 bytes |
SHA-256: aaa839dd7e19dfc1462397cdcf985ac9a77676b38d41ee954af30f7c0d45e368 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.