MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, with a significant heuristic firing indicating a 'link farm' and another flagging it as an 'advance-fee scam lure'. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing or scam campaign, likely using embedded JavaScript to facilitate link redirection.
Machine Learning
- Nyx PDF Classifier malicious score 0.9973
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://resalured.ru/wix?keyword=super+arcade+apk+1.0
- http://capridigi.com/stihl_hs_45_trimmer_parts_manualko4mh.pdf
- http://allerlo.xyz/how_to_set_up_my_howard_miller_grandfather_clock8mms1.pdf
- https://cdn-cms.f-static.net/uploads/4408184/normal_5fe8e8385169f.pdf
- https://cdn-cms.f-static.net/uploads/4458150/normal_604d5ff1d3c34.pdf
- https://static.s123-cdn-static.com/uploads/4471723/normal_60072bc7391ac.pdf
- http://lienforkid.com/xejefixupevizkc8.pdf
- http://azalea.store/pelusedowafujebarewevafujn3xi7.pdf
- https://cdn-cms.f-static.net/uploads/4485157/normal_603693dbe1b59.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://aa514bbb-a96e-4bc9-8ff3-0ca2edd1104f.filesusr.com/ugd/3fc21f_05471a182cda4289a14f308e4005b834.pdf?index=true
- https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_cc1777cfe0fd4a83aac9c74618fa0291.pdf?index=true
- https://8c805f22-5240-4a8e-9b4d-8499607ff1fc.filesusr.com/ugd/76156b_7e120f49e9ba4a6d85c715cd0523bb4d.pdf?index=true
- https://c36efdde-2309-4ce2-a10d-b6df2ce12cd8.filesusr.com/ugd/e98059_b0ce74c886304c93893c0a21cada11bc.pdf?index=true
- https://d45380bd-a93d-4ef2-b2bd-4c7806d1f6db.filesusr.com/ugd/5d2cf3_8646bdcbb9934628bb02b86e41f4a75b.pdf?index=true
- https://uploads.strikinglycdn.com/files/47efd161-5b8f-45da-b627-1ec73351530e/jerarqua_de_los_valores_de_max_scheler.pdf
- https://uploads.strikinglycdn.com/files/6121085a-1a4d-4912-a73e-6c1256ca7376/covid_19_work_procedure_template.pdf
- https://uploads.strikinglycdn.com/files/df074542-7a7e-4362-9774-5574f6253d66/what_are_examples_of_sensory_language.pdf
- https://edb7bb8d-792a-4213-93ec-7f573d37cc74.filesusr.com/ugd/bfd504_203b84bb747f4f68972f3cc359e06a6f.pdf?index=true
- https://34886cf3-15ed-44db-93e8-8979dc7c4cd7.filesusr.com/ugd/ea2c45_f81d5b7961d4434fa9d88185e0844b6f.pdf?index=true
- https://89d9876f-4e47-4433-ab5b-8da47ae3ae5c.filesusr.com/ugd/37c326_14906dfc64954ef8abb753f2a4d94cae.pdf?index=true
- https://0c2a99dd-71fd-4a0d-b96f-672cfa785c21.filesusr.com/ugd/515c54_cee956b60fd24b97932d5ac92100bd11.pdf?index=true
- https://8f0c9b82-9570-4081-bbb7-5e23a534ea09.filesusr.com/ugd/7008f3_e1acb8136b9b45c694d47e37b6902f6c.pdf?index=true
- https://4cf2acc4-d143-4013-a78d-f21de0873c4f.filesusr.com/ugd/e4636f_5edd8dbb366e45d28e4f83dbdca7ddb7.pdf?index=true
- https://14da0a27-f261-4d4b-8668-3a369f5c966d.filesusr.com/ugd/46429b_6a7e9792373044ee9986aa908f2e4972.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011a6b.bin34e709e9417b04f88396d139da48307d2c04134869a34be5181c492fb516399d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A6B | 3048 bytes |
font_01_sfnt_off00012540.bin049d40611d1029d57e001e14721cda2e081cf9f979da864eb006b2e5bc3f071f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12540 | 4788 bytes |
font_02_sfnt_off00013596.bin7cc477183b48586cab3f8042ff671a696bc288b9f4cbbfe6e985908cb7863e28 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13596 | 12580 bytes |
font_03_sfnt_off000160a6.binb6849a375c321bcc9a86b5b7366ad36908a0b50e79605cf269e8e462f3e26ee4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x160A6 | 16264 bytes |
font_04_sfnt_off00017628.binff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17628 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.