MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is a PDF containing numerous external links, many pointing to disposable domains, and is flagged by ML classifiers and ClamAV as malicious. The embedded URLs suggest a phishing or link-farming scheme designed to redirect users to potentially harmful sites. No scripts were extracted, but the PDF structure itself facilitates the redirection.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/123?utm_term=how+to+measure+wheel+size+for+bike+computer PDF link annotation
- http://nabavawuzafurur.mygamesonline.org/how_to_know_if_a_car_seat_is_faa_approved.pdfIn PDF document text
- https://cdn.sqhk.co/rapowipijes/hbGtihi/4_in_a_row_king_free_online.pdfIn PDF document text
- http://fazejajogavu.medianewsonline.com/is_the_equity_market_open_on_columbus_day.pdfIn PDF document text
- https://cdn.sqhk.co/zopimoforaja/ibhdW7B/zupotugufovojimoken.pdfIn PDF document text
- http://kebenoda.scienceontheweb.net/99221229484.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6ebccb89-6049-4535-b7b8-3ba7c2232c9e/kexezapepetedomefugez.pdfIn PDF document text
- https://s3.amazonaws.com/zarevizebi/i_ll_be_back_public_information_film.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fdb94586-2af5-4684-a161-0432ee6145cd/45077185292.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50e51776-32b5-44e0-a6d0-f545fa5c9a7e/tenuxisobanone.pdfIn PDF document text
- http://pivimufe.atwebpages.com/jomilojowesofaxijiril.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/46157547-1458-44d5-8afc-b4030cab3376/central_pneumatic_6_gallon_1.5_hp_150_psi_air_compressor_parts.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4f4f4190-5c96-44f7-93ca-42e14d5e5f49/rosejokigizixaxufure.pdfIn PDF document text
- https://s3.amazonaws.com/zarusegibitumet/denidazevidasej.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5dca813c-38ae-4aed-ac8e-9f3d0b90b0bc/buwidategudifevekofil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/716e52e0-a124-404e-8497-9178ec08e305/64659758478.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/425f9ec9-3cf1-4779-80b5-f9dfd6010120/58726297846.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/203028ed-bab4-480c-ab8f-bdc1fb688cb7/occult_america_mitch.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f06e656a-807a-41ef-9812-d17649af6af7/78562752585.pdfIn PDF document text
- https://s3.amazonaws.com/resisuna/adventure_games_list_apk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1be1ae72-74d5-4342-adbc-861a5f089085/samsung_smart_tv_55_inch_4k_weight.pdfIn PDF document text
- http://rizivubonulej.atwebpages.com/its_called_a_breakup_because_its_broken.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4c7026f2-d386-4469-a4c5-caaaf4050ac2/what_are_the_rules_of_dd.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/160bc50b-9f5f-4130-9500-a082bf7756f5/how_to_cook_country_style_ribs_in_stove_top_pressure_cooker.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9ff93d15-b8bc-45ec-a450-55e1d41b1ff8/pubepufurip.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000103eb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x103EB | 5560 bytes |
SHA-256: 31bc58760d0732ff504d350008601a2d0e8e39697001415ed08b792484f8e135 |
|||
font_01_sfnt_off000116bd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x116BD | 10568 bytes |
SHA-256: 1aced0e15ad60f71ad7da0572db094107dcb3de1ca3b5bdf4e484b39a087019c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.