MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was flagged by multiple heuristics as a link farm, containing numerous external links to disposable hosting sites. The ML classifier and ClamAV also identified it as malicious, specifically as a phishing trojan. The embedded URLs suggest an attempt to redirect users to potentially malicious content or phishing sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://garglob.ru/pbw?utm_term=hello+neighbor+android+alpha+2 PDF link annotation
- https://gaxezoxo.weebly.com/uploads/1/3/0/7/130776828/tapizupalurej.pdfIn PDF document text
- https://nenopejir.weebly.com/uploads/1/3/4/6/134603535/pemuremotuw_xokusutepaf_gekalekugexemir.pdfIn PDF document text
- https://suduwigopoda.weebly.com/uploads/1/3/4/5/134587425/wijesabu_didik.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4389101/normal_605b9f82a50a9.pdfIn PDF document text
- https://mugaditovamamuk.weebly.com/uploads/1/3/0/7/130776340/bexalefag_sututiv_gimujizatuximob_mumurazeneja.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4473031/normal_60430e6e787c7.pdfIn PDF document text
- https://lojopozubog.weebly.com/uploads/1/3/1/6/131606756/8477423.pdfIn PDF document text
- https://fasosizive.weebly.com/uploads/1/3/4/3/134351581/sumevekezawovisoba.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453532/normal_604a5fec16270.pdfIn PDF document text
- https://voxugenones.weebly.com/uploads/1/3/1/8/131871951/tuxisovo_guxir_xizaroxi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/41b8c250-9cb4-4868-a5cc-0d8871710532/does_jack_die_in_criminal_minds.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa43f5b9-70b5-42a1-b847-81edcb11348d/best_hindi_songs_for_dance_competition.pdfIn PDF document text
- http://nosiravuga.pbworks.com/w/file/fetch/144480675/adding_3_fractions_with_unlike_denominators_worksheets.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/15fd43e6-d3ef-488d-93fd-3205007551d2/milevisoxubotedipawuto.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/10c5bbc7-aa83-4b62-ad99-f5a1b3bd6543/61097912557.pdfIn PDF document text
- http://fadoposapat.pbworks.com/f/juripafigekunuxuver.pdfIn PDF document text
- http://buvulareka.pbworks.com/w/file/fetch/144880752/broughton_hall_uniform.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/def1753c-4725-4f36-beb0-4b456aebb9a3/monster_illuminessence_instructions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/735f9df2-6f86-4eea-9186-4f141b9da8d0/deutsch_c1_vk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/14e531ea-46d7-4a23-9099-3570b95e0fdd/2000_ford_ranger_xlt_tire_size.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9ef4b8f3-fa0d-4921-9537-46b96ed56679/bokijivimipowexevawezi.pdfIn PDF document text
- http://zelovoguvunu.pbworks.com/f/download_gta_5_ps3_iso_highly_compressed_for_android.pdfIn PDF document text
- http://zilujilixeti.pbworks.com/w/file/fetch/144783891/dosigevenadixafumolikege.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bd5d596b-9cbf-435e-9af7-ba70cb965256/how_can_i_check_my_ptcl_bill_with_cnic.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eeb7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEEB7 | 5276 bytes |
SHA-256: 200f2cd5039742971c22bcff27263d0016b347e4674eef3a375d883ec211748e |
|||
font_01_sfnt_off00010094.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10094 | 10096 bytes |
SHA-256: a3e9c9083f65067d5bd42a7d351fc7f8b301b8808ff2b4f0d5821545eb654274 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.