MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, many pointing to disposable hosting, and is flagged by heuristics as a link farm. The ClamAV detection and ML classifier strongly indicate maliciousness. The primary malicious URL identified is pelibifir.ru, which is likely used to host phishing content or a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/123?utm_term=xilinx+ultrascale+user+guide PDF link annotation
- http://xefawojuj.mygamesonline.org/9557371717.pdfIn PDF document text
- http://jabewes.medianewsonline.com/agroforestry_theory_and_practices.pdfIn PDF document text
- http://niginotan.22web.org/55770492921.pdfIn PDF document text
- http://mawosatejojeka.sportsontheweb.net/40918993953.pdfIn PDF document text
- http://jusojixanona.getenjoyment.net/96864074334.pdfIn PDF document text
- http://detobusukited.iblogger.org/zirego.pdfIn PDF document text
- http://tanijijud.sportsontheweb.net/addition_word_problems_worksheet.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/0bf4f5db-9ed8-4f6f-be76-d4015c65e14a/31641666203.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/19ab16a1-075a-4cdc-8895-257ba6077688/78243969954.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d47e53e3-7a93-4717-a4ab-25fd409cd413/niv_life_application_study_bible_thumb_indexed_leather.pdfIn PDF document text
- https://4123e755-5e7e-4fb8-b167-49ba90d37259.filesusr.com/ugd/fd3290_66627c8786fb450c8d3caac15c6e2d56.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/2ae9cba8-a97e-4d2e-8d13-5fd2808d3030/kenwood_ts-430s_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/07f7f9cc-a499-4771-b86e-9089cb39590f/5th_grade_writing_prompts_worksheets.pdfIn PDF document text
- https://720c7b34-a033-4bf0-83ea-6be17de98aa2.filesusr.com/ugd/03ef8e_88bacf5820dc4c6a89ae738aaf157cd5.pdf?index=trueIn PDF document text
- https://1682489e-d94b-4f22-b6a6-c8ecb623ca2e.filesusr.com/ugd/5f226e_3c99e712987b4bc6abf3dfe3647eefe3.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/783d469d-d452-4ed6-b080-418ec11ec626/metave.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cf681c3e-60da-4ae4-84f3-2fed6d0eae18/brother_hl-2140_error_light.pdfIn PDF document text
- http://vumafovixono.rf.gd/mixurevekeduxifofobep.pdfIn PDF document text
- https://c931c956-7f53-4e4e-96dc-27d7f003ba63.filesusr.com/ugd/b80c10_56738ccf593044af935dc267bcabf20c.pdf?index=trueIn PDF document text
- https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_7954b85d38a845b381812c082ee941ff.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f63c771a-3c21-4fee-a86f-9bed9980b30a/dumuvekosunibenenixam.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0e240545-1d24-4811-8abd-058e23b690d6/48381872499.pdfIn PDF document text
- http://wilisen.rf.gd/18756051457.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000149ca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x149CA | 5152 bytes |
SHA-256: 20933d84104f3aedf42bedf799515a627e3198fde950f72495f41b6313eab991 |
|||
font_01_sfnt_off00015b59.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15B59 | 12088 bytes |
SHA-256: 96facdd148f3231e61e1a7a43d01a7bc78af8d9b953a91dc8bedb73426d1312a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.