MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, a common tactic for SEO link farms, with one prominent URL pointing to a suspicious domain. ClamAV and ML heuristics also flagged the file as malicious, specifically identifying it as a phishing or trojan PDF. While no scripts were directly extracted, the structure and heuristics suggest an attempt to redirect users to malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/award?keyword=importance+of+activity+based+learning+pdf PDF link annotation
- http://vetovikaxu.mypressonline.com/zixijekewuvamuwarolonuge.pdfIn PDF document text
- http://pumaguli.scienceontheweb.net/jmu_university_outpost_coupon_code.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/d50a1851-f88b-4121-86b9-6f1425b87bb8/defelexijevofurogudajunus.pdfIn PDF document text
- http://wajalapivibobi.epizy.com/achievement_award_template_word.pdfIn PDF document text
- https://s3.amazonaws.com/salade/49060116566.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/75c5169f-1e99-4391-8422-92a27fcabaed/xiwozugi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/133e8393-302c-483b-8df8-d1366ed9d9b9/ridgid_6_gallon_pancake_air_compressor_review.pdfIn PDF document text
- https://s3.amazonaws.com/woneketelak/ruxeninapi.pdfIn PDF document text
- https://s3.amazonaws.com/telasebisu/mamow.pdfIn PDF document text
- https://s3.amazonaws.com/zozofufulolig/printable_math_worksheets_for_grade_3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/577145cd-ec35-4bf5-9980-85a3a4d074e4/tork_454d_digital_timer_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa666d08-0ead-422b-8c60-faac8cca5bca/data_analysis_using_software_packages_microsoft_excel_and_spss.pdfIn PDF document text
- http://mukanebesiva.atwebpages.com/84452998618.pdfIn PDF document text
- http://wiwazisumi.rf.gd/deparizizemusireto.pdfIn PDF document text
- https://eb40363d-1d1f-4170-a897-f23f0f433116.filesusr.com/ugd/2a1429_db310b673a794f6fa52e44bd6229ea11.pdf?index=trueIn PDF document text
- https://c31d65df-273c-4bcc-acfb-7b03b0724b99.filesusr.com/ugd/e7e4a0_dee3d0bd348c4fad80eac464d2a85aaa.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/99fd4e73-c360-4974-9cd6-7d87fd4da3ef/fekazuwidukoverelal.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a9260bbc-36f6-40eb-b81e-68e514834b3d/senufomewokate.pdfIn PDF document text
- http://zaramapowo.rf.gd/xarugesoxeninulatuje.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2fb641d9-f294-4a6d-83a7-a9538da6eb68/36678082754.pdfIn PDF document text
- https://db7841a4-af10-4990-a2be-f084cd4acbf6.filesusr.com/ugd/e3c460_03e1cb1e3a9c465594789eedb0746077.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/dovulavavo/kesorurakudesavigususon.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f4ae.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4AE | 5712 bytes |
SHA-256: e436af8576ed263fa4c949c9502842a018b13f7f143fdd717f48c9db7a159948 |
|||
font_01_sfnt_off0001080e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1080E | 10488 bytes |
SHA-256: 152c41cdce45caedc9d015d1690b5fd7787f621999a1e0dcd535bd0168035666 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.