MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://coretry.ru/pbw?utm_term=portugal+strategy+eu4 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4463792/normal_601aff23cafe7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4421466/normal_60583ff024e4f.pdfIn PDF document text
- https://dijizuwuke.weebly.com/uploads/1/3/3/9/133999270/makixutizatabivilu.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4492897/normal_60b84af791fe3.pdfIn PDF document text
- https://bofuvozera.weebly.com/uploads/1/3/5/3/135331850/cb387.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4424361/normal_604db180b9d37.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4477863/normal_6018e39bcd72c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486041/normal_60b83f598c8da.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4502245/normal_6035b19184f59.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4461485/normal_60290143ca7f5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4387806/normal_6057def90f95b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4503617/normal_603435d3e7d8e.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b7b8f999-9f4c-4696-a871-8ea289757aaa/how_long_does_it_take_for_cabot_stain_to_dry.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/15bf309a-8b75-4420-8a6a-9054d1f2dea9/garmin_nuvi_2589lmt_replacement_parts.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28937e6b-4aa5-4dcd-aa8e-e04dfda3455e/17319572406.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3d098f36-b260-48e9-b294-12765afa384d/litorekaninupipezidemize.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d9f25dd8-0a27-4166-8bf5-d99c8312526d/59502799223.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fbea5ed3-14db-4bec-8ef1-bc419648bdf2/cat_c15_repair_manual_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8538acf4-27e3-483f-a698-3d5da1f3e41b/comptia_network_study_guide_n10-007.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a4cace5a-61e8-4de9-8299-a1fa65838f3b/58568161741.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f49d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF49D | 5044 bytes |
SHA-256: 528741a205173546bdcad6f055c786b1ee61dca32c3536c2c376383353b00845 |
|||
font_01_sfnt_off000105e1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105E1 | 13716 bytes |
SHA-256: 4815c1bfbf7937d08a3ab06acafcfe8453e75bb01db2c87278177bb17ec72ed7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.