MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many hosted on disposable domains, indicating a link farm designed to distribute malicious content or phish users. The heuristic PDF_SEO_LINK_FARM and PDF_SEO_DISPOSABLE_LINK_FARM firings strongly suggest this malicious intent. The ML classifier and ClamAV detection further confirm the malicious nature of the file, likely serving as a lure for further compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/123?utm_term=oxford+dictionary+hack+apk PDF link annotation
- https://fivarebaxuru.weebly.com/uploads/1/3/5/3/135326201/zuliguxofu_vuvenebonowuwef_tebirapupiz.pdfIn PDF document text
- https://segagewemavovus.weebly.com/uploads/1/3/0/8/130874565/bumovebexelegezub.pdfIn PDF document text
- https://siteketu.weebly.com/uploads/1/3/4/3/134362374/7cd98c91f75f.pdfIn PDF document text
- https://lefoxidegej.weebly.com/uploads/1/3/4/5/134526886/8293810.pdfIn PDF document text
- https://nafizanoride.weebly.com/uploads/1/3/4/5/134596231/5576627.pdfIn PDF document text
- https://vufevilasok.weebly.com/uploads/1/3/4/3/134314299/71640978ff72.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://fixunomavow.pbworks.com/w/file/fetch/144610083/78193617184.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00484c01-c6ce-4763-adb5-772e9af885d7/32763846365.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c86047a1-128c-4bad-ad1e-ffefc3d9ee20/mutejosudebuvuv.pdfIn PDF document text
- http://sonopewobu.pbworks.com/f/vusexijufepaje.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ec936e1f-cadb-42b5-962f-f72bb4322cda/tubezasuzolegozawajudi.pdfIn PDF document text
- http://giresizuloki.pbworks.com/w/file/fetch/144462978/13925120302.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d9c7e21c-1b58-4f6b-8f48-fd15a3a801e1/nomidewulufadepimir.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/90bf297e-48ee-4918-8577-d870c5ced8fb/what_does_the_rising_sun_mean_in_japan.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4a87620e-b21a-4a15-a79c-c1b970fa5ef8/xawugim.pdfIn PDF document text
- http://betosaxugawi.pbworks.com/w/file/fetch/144450930/galelovasutipuxomivoxagu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/346a8b94-def4-4963-8fff-3f32470dc5b3/tefutofijovalazebazexulu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b5947469-b253-40f5-a0fa-14a96a307bb2/gixixarevuwawovolopibep.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a118e946-97b9-40a3-8893-24101ba62551/how_to_find_income_statement_in_accounting.pdfIn PDF document text
- http://kizisoj.pbworks.com/f/61419716526.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/719700c3-b361-46d4-839e-a87035d41330/how_to_change_the_code_on_my_honeywell_alarm_system.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c29050b5-5b25-41db-92ab-14a3a5b508bf/kitchenaid_a9_coffee_grinder_manual.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f0f2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF0F2 | 5296 bytes |
SHA-256: c284e1faf89426046954402cc48a7cb85d071ef5a3525502804ccddac4bcaefb |
|||
font_01_sfnt_off000102fe.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x102FE | 12524 bytes |
SHA-256: a44edf96add40b72b83525fcef952fdd3dc0456edffc38fe7b3a2d63297c4500 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.