MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, many of which point to disposable domains and are likely part of a link farm. The ML classifier and ClamAV both flagged this PDF as malicious, with ClamAV specifically identifying it as a phishing trojan. The embedded URLs suggest an attempt to redirect users to malicious sites for further exploitation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9985
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/wix?keyword=18+wheels+of+steel+haulin+mod+bus+mexico PDF link annotation
- https://xumizobizuzu.weebly.com/uploads/1/3/4/6/134688834/9829486.pdfIn PDF document text
- http://casser.xyz/linksys_ea4500_router_manualqsreg.pdfIn PDF document text
- http://arenaprobet.com/how_to_convert_mini_dv_tapes_to_macw862m.pdfIn PDF document text
- https://nudomituge.weebly.com/uploads/1/3/4/6/134677479/serunezumit_vusukifome_pobakimilebol_nonopebajivepi.pdfIn PDF document text
- http://kind-insta.site/soundarya_lahari_telugu_free_downloade905a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4482403/normal_5fcabca451d90.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454550/normal_60445a152efb5.pdfIn PDF document text
- http://driveformclanemilwaukee.com/define_energy_independenceeoxs8.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4426279/normal_5feb710f4fb7f.pdfIn PDF document text
- https://muxuredoli.weebly.com/uploads/1/3/1/3/131380086/zajojuf_jitutiboj.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/17afbfdd-1eaf-4b61-80a7-e85fd2eab20e/tidepadelelizanegepu.pdfIn PDF document text
- https://s3.amazonaws.com/muvazi/is_swift_code_required_for_international_wire_transfer.pdfIn PDF document text
- https://s3.amazonaws.com/dadupawo/duwotolepazag.pdfIn PDF document text
- https://s3.amazonaws.com/wemupajese/video_compress_without_losing_quality_android.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/31236d6d-4e6f-460a-8ca0-9f4e886ac243/mebatadiroredap.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/360178aa-bc0a-41ce-907f-356d0736e124/wuvufawapivasewin.pdfIn PDF document text
- https://s3.amazonaws.com/kosipefojaw/web_portal_templates_bootstrap.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0183e713-1ab0-4747-bac7-e1addd3c3817/libro_geometria_analitica_charles_h_lehmann.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/424bcd7a-f81f-4f08-9d4d-de0364d3062c/famous_honolulu_typing_school_answer_key.pdfIn PDF document text
- https://s3.amazonaws.com/jixeremipet/sonic_all_stars_racing_transformed_review_ign.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d252cc94-7077-4f6e-a7e4-ac64bb25fea6/is_there_a_recall_on_chevy_impala.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/26bb6ed9-c737-42bb-8d59-419520ea6d49/how_to_make_green_eggs_and_ham_with_food_coloring.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ece468ed-0ee1-4846-95f5-d478fd44c1a3/simmons_sd1000_review.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off00010301.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x10301 | 23304 bytes |
SHA-256: 957355c08eea5eb9a5a0464226a1ce6ba4254160f44917fdd0d2d9f70374bc20 |
|||
font_00_sfnt_off0000ce00.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCE00 | 5496 bytes |
SHA-256: ed32904520cce15fab197dd99cd5cc6ed9e7675101ea770ecce25f9f7d46bc88 |
|||
font_01_sfnt_off0000e09b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE09B | 9960 bytes |
SHA-256: 35102e6d5ea490e5e9ee9dbf75f96f5a76e9c8e687092f464c6212a1d904c664 |
|||
font_03_sfnt_off00012c07.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12C07 | 4324 bytes |
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.