MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to artificially inflate search engine rankings or distribute malicious content. The primary URL points to a search query for a safety code PDF, acting as a lure. While no scripts were directly extracted, the PDF structure and extensive external linking are indicative of a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://inwebjor.ru/pbw?utm_term=national+electrical+safety+code+2017+pdf+free+download PDF link annotation
- https://zuwufapiju.weebly.com/uploads/1/3/5/3/135348861/mofade.pdfIn PDF document text
- https://midejewafefo.weebly.com/uploads/1/3/4/0/134000268/6438541.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4461497/normal_600f066286715.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4500447/normal_60274d76c237b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4452599/normal_5ff1130258163.pdfIn PDF document text
- https://nuxikasupi.weebly.com/uploads/1/3/4/5/134528480/viwubuseg.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4473403/normal_60493828189a2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372983/normal_604d21690d1d8.pdfIn PDF document text
- https://lugesivewamaxiz.weebly.com/uploads/1/3/4/5/134596289/duzigoleg_piduwi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4392658/normal_602d7a053e634.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4389793/normal_5fec6c7846851.pdfIn PDF document text
- https://konomotawet.weebly.com/uploads/1/3/1/3/131379362/3003822a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4466366/normal_5ffdef9019868.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453105/normal_6046433ee1059.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/063c61dc-062e-4fca-9004-ce62939e2593/is_percy_jackson_disney_plus.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7868bb54-4200-423a-b69f-3ff5fd2f9a43/buxuxutifid.pdfIn PDF document text
- http://mifimoruzuwo.pbworks.com/w/file/fetch/144730776/tabla_de_vacaciones_segun_la_ley_federal_del_trabajo_2019.pdfIn PDF document text
- http://xanovobuxebo.pbworks.com/f/tik_presentation_example.pdfIn PDF document text
- http://xoxafepapesu.pbworks.com/f/mod_sun_avril_lavigne_mp3.pdfIn PDF document text
- http://xulajirose.pbworks.com/f/ielts_5_practice_tests_academic_set_3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6152660c-1e99-451e-afa3-8a000bd9d516/45880184625.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/93390080-fb7e-480d-875b-5c2059b7f177/93542374298.pdfIn PDF document text
- http://dejimebez.pbworks.com/w/file/fetch/144425937/conjuring_2_full_movie_in_hindi_download_720p_worldfree4u.pdfIn PDF document text
- http://panuduxeruv.pbworks.com/w/file/fetch/144830412/activate_windows_server_2012_r2_datacenter_crack.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ed82.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xED82 | 5720 bytes |
SHA-256: fab1b0580f8b7c4f166499af35908270afdbb3f4c6c8582a90c5c7b259f64f08 |
|||
font_01_sfnt_off00010135.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10135 | 10832 bytes |
SHA-256: c32e878b60d6446fec471b3179ea6f84ce21c7f0d788bcf08de40fef9da2dedd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.