MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external URIs, many hosted on disposable domains, suggesting a link farm or phishing lure. The document body, though heavily obfuscated, appears to be a lure related to literary analysis, aiming to trick users into clicking embedded links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/strik?utm_term=the+minister%2527s+black+veil+literary+analysis+answers PDF link annotation
- https://cdn.sqhk.co/nobukomorur/Mlhacic/tangled_the_series_season_3_episode_11.pdfIn PDF document text
- http://xufikefizot.sportsontheweb.net/apollinaire_poesie.pdfIn PDF document text
- http://itsamorem.com/reddy_heater_170t_wiring_diagramqkshb.pdfIn PDF document text
- http://jadebey-x.com/597165625435i04g.pdfIn PDF document text
- https://cdn.sqhk.co/vovewotutal/fyJiizZ/vodafone_free_international_calls_christmas_day.pdfIn PDF document text
- http://alex-travel.moscow/business_vocabulary_in_use_elementary_to_pre-intermediate_with_answers6czq8.pdfIn PDF document text
- https://cdn.sqhk.co/pinebiven/jgowFOT/commercial_insurance_proposal_template.pdfIn PDF document text
- http://aires.fun/what_streaming_service_has_the_road_to_el_doradohcx5z.pdfIn PDF document text
- http://dakajak.medianewsonline.com/is_there_a_4th_generation_echo_dot.pdfIn PDF document text
- https://cdn.sqhk.co/jabosuve/fr3ijPa/85656125531.pdfIn PDF document text
- https://cdn.sqhk.co/bulelovuroga/wBMiehc/14482413528.pdfIn PDF document text
- http://sifimomikev.sportsontheweb.net/sepetarodubupuvi.pdfIn PDF document text
- http://orbitan.fun/unicorn_run_2019_kelantanu4vde.pdfIn PDF document text
- http://dkmz3.club/sutukukuranikkkjd6.pdfIn PDF document text
- http://mon-compte-cmb.best/99091687990wxsek.pdfIn PDF document text
- http://xelasurugopu.mywebcommunity.org/dnd_5e_critical_hit_attack.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/abf61232-22d3-48a3-8dcc-82aa3a45c257/pollo_loco_chicken_avocado_wrap_calories.pdfIn PDF document text
- https://s3.amazonaws.com/wulagisi/fixumadas.pdfIn PDF document text
- https://s3.amazonaws.com/fuwuzerijofa/kapipusuje.pdfIn PDF document text
- https://s3.amazonaws.com/fibesezati/jutuposugudobovoresezimok.pdfIn PDF document text
- https://s3.amazonaws.com/fizup/anglo_saxon_gods_and_goddesses_worksheets.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/08900c91-1117-4b6d-93c1-162cce06542d/35961622784.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b906f91a-f668-42c8-81dc-c3b93e955e42/82378706358.pdfIn PDF document text
- https://s3.amazonaws.com/zagubip/90448600174.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001314d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1314D | 5480 bytes |
SHA-256: e856115a21655ca4ca3a751b9e563c6f9fbf4f33c0e4dc17e017b1ffe7295faa |
|||
font_01_sfnt_off000143e2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x143E2 | 10992 bytes |
SHA-256: dfadf2f351560788ec156edf165ccb7f145ffdd899ffa5d7ecdeddabca8a9b15 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.