MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/strik?utm_term=how+to+be+a+fluent+english+speaker+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4482618/normal_6051fdddca612.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370265/normal_60104f83a0ff6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4384825/normal_5ff711c62c8dd.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4463002/normal_5ff32ac292568.pdfIn PDF document text
- http://getsol.xyz/fisoweriralerajujivufe9kwqy.pdfIn PDF document text
- http://totalcreditcheck.info/5713962858864opx.pdfIn PDF document text
- http://xopasiwaxenoj.iblogger.org/63746791380.pdfIn PDF document text
- http://100p-f.ru/lusixezewoba4cu68.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://ee897e78-a157-4eb5-8a47-d615096087a2.filesusr.com/ugd/113e89_0d3698661bdd499b9b9dee947d25499d.pdf?index=trueIn PDF document text
- https://9db8f275-5044-409a-aa1b-3306d9dda9bd.filesusr.com/ugd/361f4b_2963f6ccfc7a48d096362222596dae0f.pdf?index=trueIn PDF document text
- https://156bb51f-0b62-477f-88ca-8620af00812b.filesusr.com/ugd/e3ff21_05c56b01e20a4a2c825c3ee9e5670040.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/vexosafugunu/6587106318.pdfIn PDF document text
- https://s3.amazonaws.com/rudelazifizuvo/antineoplastic_agents.pdfIn PDF document text
- https://18b09f4e-de4d-4c1b-9fe6-be55c63b1c00.filesusr.com/ugd/cd81e9_9616775555a54d2a974b32b3717a3bb0.pdf?index=trueIn PDF document text
- http://pisozew.rf.gd/rikijonewixafiro.pdfIn PDF document text
- https://s3.amazonaws.com/vojapu/what_does_patriotic_mean_in_music.pdfIn PDF document text
- https://79c9c32e-6572-42fd-9c0e-61d057d48a34.filesusr.com/ugd/33a1c8_819d804b0bc14d1bbdde195a455eaea8.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/wotodedaruzuk/functionalist_perspective_on_social_stratification.pdfIn PDF document text
- http://fezedosez.rf.gd/97041258504.pdfIn PDF document text
- https://f608bf75-187c-4b28-9621-af925c05c2b6.filesusr.com/ugd/05e3ad_31c4871873a6454eb648502c97fac2ab.pdf?index=trueIn PDF document text
- https://fe426b01-1dd0-498a-b08e-7ec37e320b94.filesusr.com/ugd/6b45f0_c0806b2a2bdf4842933354e243e20e38.pdf?index=trueIn PDF document text
- https://a2ae8793-a99f-480d-a3bc-849ef63d34f7.filesusr.com/ugd/cc207a_88dd47a232dd4b6a9cd90adef993757f.pdf?index=trueIn PDF document text
- https://91ca87c2-c493-4616-adaa-fbcec45394e1.filesusr.com/ugd/6116da_e844fc7a5ebc452db5e0e09bf0e4c100.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/fizup/bootstrap_html_form_table.pdfIn PDF document text
- http://marilineme.epizy.com/29422177096.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000170bb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x170BB | 5560 bytes |
SHA-256: 26dc7cb8fe3d5a16218388d74544cc86358b7ef695f5980ef39f995e62b2144f |
|||
font_01_sfnt_off000183a9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x183A9 | 11532 bytes |
SHA-256: f23489963ed1ef0bff9130f1f410b1166aebcefbb04d32d2b41b8a28500086c0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.