MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/award?keyword=city+of+god+saint+augustine+pdf PDF link annotation
- http://baxezafewel.iblogger.org/19560709397.pdfIn PDF document text
- http://mrshadow.net/how_do_i_reset_a_hardwired_smoke_detectorflqaz.pdfIn PDF document text
- http://ruzoboxilotazex.22web.org/bteb_result_2020_6th_semester.pdfIn PDF document text
- http://kinokaiff.space/575480936522b47e.pdfIn PDF document text
- http://dimax-matrasy.ru/hp_laserjet_1320_toner_resetov368.pdfIn PDF document text
- http://dalovuzanalitu.22web.org/how_long_to_lose_weight_while_working_out.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://49b7c339-fea6-4bb3-bf7b-ca47af5263df.filesusr.com/ugd/6ca12d_822fcc4afbe245e080507eaeb93eb4b9.pdf?index=trueIn PDF document text
- https://eb22cd64-ba88-4d74-9269-d2b8937e52af.filesusr.com/ugd/3b217d_50da96dd8d9f42eaadd94c4332f96500.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f4167a67-8e05-471d-a945-79e62895b427/air_fryer_elite_reviews.pdfIn PDF document text
- https://71347f20-8353-4153-bebc-dd2a28b3a5cf.filesusr.com/ugd/a382ee_42389d15076d4e37a4a2d45a91ec43e6.pdf?index=trueIn PDF document text
- http://xukenefurirog.epizy.com/839791161.pdfIn PDF document text
- https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_f62526dada3144aa8be262d1bfdf2f08.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/96873d28-88af-4e31-92fa-eb0966c44e56/alinco_dx_sr8t_review_qst.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ff5d96e3-54b7-4133-ac04-2d7a62c43e8e/7989237909.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a2a45545-3546-41e7-a4ff-28166da62bc5/81454198307.pdfIn PDF document text
- https://03ca3561-abfe-48ca-9b59-b1b2b77f8126.filesusr.com/ugd/1af49e_2ab34c8f5faa4f3d8e98a7f8c61c784e.pdf?index=trueIn PDF document text
- https://f74ea38a-ab8d-49a0-8d31-9a1d7ce64423.filesusr.com/ugd/5ceade_b9ccc44454cc499cb81db316cd1d3165.pdf?index=trueIn PDF document text
- https://2987c0f4-171e-4473-b3f1-a5468658115b.filesusr.com/ugd/75ff8a_f0ec2eadb49f4549b494593d0881a290.pdf?index=trueIn PDF document text
- https://539b613c-a54f-4c74-97b0-41cdc0f13365.filesusr.com/ugd/f6e6b4_1d93f07c4c594b488d4670d8b699bfc1.pdf?index=trueIn PDF document text
- https://0dc5fd1c-b354-4e5b-9ccd-45395e8994ed.filesusr.com/ugd/f79e8d_a12779c9d4e54551a495a07c106bb023.pdf?index=trueIn PDF document text
- http://tirimetepuxir.epizy.com/wolfgang_puck_1.5_cup_portable_rice_cooker_recipes.pdfIn PDF document text
- http://bizower.rf.gd/59759139039.pdfIn PDF document text
- http://buxuzob.epizy.com/doors_light_my_fire_sheet_music.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f82f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF82F | 5088 bytes |
SHA-256: eab3418471ac20eb3e05dd2064767ec8ea069a7142f6a3939b1c139e7aa839db |
|||
font_01_sfnt_off000109a8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x109A8 | 10900 bytes |
SHA-256: d8132aa2f9395510e4b55f9a9552bdad5cf407682f673e3d78d2f0069f301020 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.