MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ClamAV and an ML classifier as malicious, specifically as a phishing trojan. It contains numerous embedded URLs pointing to disposable domains, indicating a link farm designed to redirect users to potentially harmful content. The document body, though heavily obfuscated, contains strings related to a manual, likely a lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/aws?utm_term=first+alert+carbon+monoxide+alarm+manual+c0400 PDF link annotation
- http://takipleskazan.org/why_do_i_get_water_bubbles_on_my_handswivlp.pdfIn PDF document text
- http://clientesdkb.com/46328490837trkas.pdfIn PDF document text
- http://itasda.online/65313126748nbbn3.pdfIn PDF document text
- https://polalakenasi.weebly.com/uploads/1/3/0/8/130813885/8e36ef93c9e2c.pdfIn PDF document text
- http://kukushpa.fun/jewibajarosixurofobaw9p5c.pdfIn PDF document text
- http://vuvodagedene.scienceontheweb.net/mechanical_design_of_machine_elements_and_machines_a_failure_prevention.pdfIn PDF document text
- https://kenaveduku.weebly.com/uploads/1/3/0/8/130813649/c7e11b855.pdfIn PDF document text
- https://notaxivarem.weebly.com/uploads/1/3/4/6/134633458/5018880.pdfIn PDF document text
- http://womumonafip.22web.org/isobutyl_chloroformate_synthesis.pdfIn PDF document text
- http://metalllift.ru/6958453547509lau.pdfIn PDF document text
- https://dugezuwodovapa.weebly.com/uploads/1/3/0/8/130874298/9801038.pdfIn PDF document text
- http://faxusigeroles.sportsontheweb.net/959054625.pdfIn PDF document text
- http://tigimurudel.22web.org/27404124274.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_70fb1c867ec84d0b9d742c24dc507232.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/968e751d-854e-4662-bea4-63421973eb48/rf263beaesr_error_codes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e81f0198-8463-4c12-9482-06a8143455d5/niduvelig.pdfIn PDF document text
- https://4b4b92a8-4ac5-4030-97d5-af0917f8c077.filesusr.com/ugd/0251f0_93147d9b480a4a8c8a10e1e3ad1fd314.pdf?index=trueIn PDF document text
- http://runumebutevota.rf.gd/wiwigonugedubidopezef.pdfIn PDF document text
- https://98771922-91e4-4673-aa0d-7794f4435593.filesusr.com/ugd/b6aaa0_d7dc3bacc3b64b30a61a07ce1dae421a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/334b535f-cb10-4381-8ed6-7f1389b698c6/avaya_ip_office_500v2_combo_card.pdfIn PDF document text
- http://bubewap.rf.gd/how_much_does_a_deck_of_tarot_cards_cost.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/85d729bf-3b9d-4747-a0ea-c90dbbd4ed7c/how_to_administer_cognitive_behavioral_therapy.pdfIn PDF document text
- https://83372c7a-1065-4b07-8284-b64562b46e84.filesusr.com/ugd/035489_33b315af209043f1b4957a368146a501.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fd24.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD24 | 5360 bytes |
SHA-256: 3df8912f90cf227788ca1c41c6fc774529b5332dc597fc5dd6926d4933563488 |
|||
font_01_sfnt_off00010f3b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10F3B | 12060 bytes |
SHA-256: a5d77bc89caf3f21b37dee1baccc0bac9a44207369c3ef1afd9ba6c66ba82719 |
|||
font_02_sfnt_off00013855.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13855 | 4324 bytes |
SHA-256: a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.