MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded URLs and heuristics indicate it is a link farm designed to trick users into downloading password-protected archives, a common tactic for malware distribution. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/123?utm_term=zarchiver+donate++uptodown PDF link annotation
- https://cdn.sqhk.co/sabiwizi/Ovp0hi0/40988472468.pdfIn PDF document text
- https://cdn.sqhk.co/pazaxefuma/Sha5icm/who_is_the_best_ice_hockey_player_2019.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4460970/normal_6036746110501.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369168/normal_60524308e3056.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4382770/normal_5ffd7cdc99c75.pdfIn PDF document text
- https://cdn.sqhk.co/puxolika/ifqaDXE/bowling_springfield_ma.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://zopatirek.epizy.com/luna_lunera_cascabelera_cancion_infantil_letra.pdfIn PDF document text
- https://dba0ca6b-c979-46b3-87c9-041648dee063.filesusr.com/ugd/6f58fb_41a041f85e0a4af7b7b22c32ca3da74b.pdf?index=trueIn PDF document text
- http://gozosowizopuk.rf.gd/singer_simple_3223g_yeil_diki_makinesi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7814bb35-5ca5-4607-bf89-c5d018ec7e53/2591132414.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1f85270c-efcf-404f-86ee-9d175f587c01/tankless_water_heater_valve_kit_amazon.pdfIn PDF document text
- https://f84ffea9-2755-49c2-9cb5-47ca8b55fe65.filesusr.com/ugd/0adedf_e03cb473d14d46a1a0bba512288aa7f0.pdf?index=trueIn PDF document text
- http://sifefelemab.epizy.com/arryse_effect_video.pdfIn PDF document text
- https://722d0b64-886f-48d6-ad1d-3f240095bb95.filesusr.com/ugd/07f6b3_55f0de9990da4f919217615c1694b2cf.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/453413b2-4ac7-4c16-bb33-94ffe809402b/nixon_sentry_chrono_all_gunmetal_42mm.pdfIn PDF document text
- https://db6a684c-bd73-4a61-997a-17040cc1d896.filesusr.com/ugd/bbbb20_cbeca4eef9ec4e69874664ed6c332666.pdf?index=trueIn PDF document text
- https://96a604d4-6f4e-42dc-90fb-b802e1cf4ed0.filesusr.com/ugd/6ef60c_aee7c0c9c89c40d4a6fefe35235d63f1.pdf?index=trueIn PDF document text
- http://wupomadupu.epizy.com/acls_pretest.pdfIn PDF document text
- https://21319658-e817-4d6a-846f-872ccfe0f0c2.filesusr.com/ugd/982af2_7f76d5969198448699555c1d0e83e285.pdf?index=trueIn PDF document text
- https://5b0e1d79-1acc-45ba-a965-31015372eee8.filesusr.com/ugd/67f5f7_26711fe53edb4e619dd38a01f5113dff.pdf?index=trueIn PDF document text
- https://7133fc40-0b9c-4701-b953-e7fafc934b44.filesusr.com/ugd/70a38d_8c68c10f7e1d45938a3a44026ad83d82.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/55e6c5d9-7836-4b7f-9d4f-e191ca7f2381/jivivufabi.pdfIn PDF document text
- https://d6b7b3c7-8429-4d82-9d75-5d5d09e763cc.filesusr.com/ugd/a8c229_02c20ce5ccc24db3ae350b1247917970.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fb61.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB61 | 5060 bytes |
SHA-256: bff47cc80dfb96d5b6bf96cea23352a968a759ea92f2974b95df13f0ce58d618 |
|||
font_01_sfnt_off00010ca9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10CA9 | 10960 bytes |
SHA-256: 20a4b83c1f3895c8384e14c10379153a1a3fa39ffc6464925f348a62188e1083 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.