MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document is identified as malicious by ML classifiers and ClamAV, and contains numerous embedded links. One of these links, 'https://xezojetit.ru/123?utm_term=upper+extremity+study+guide', points to a domain associated with link farming and disposable hosting, suggesting a phishing or malware distribution attempt. The document's content, though heavily obfuscated, appears to be a lure for a download, aligning with a spearphishing attachment tactic.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/123?utm_term=upper+extremity+study+guide PDF link annotation
- https://cdn-cms.f-static.net/uploads/4452372/normal_6013b2e73bb74.pdfIn PDF document text
- http://bepeteferavo.22web.org/71030579352.pdfIn PDF document text
- https://cdn.sqhk.co/nomazotesi/jaFieeC/can_you_escape_horror_4_walkthrough.pdfIn PDF document text
- https://cdn.sqhk.co/letarezetap/jjgcjiX/bluestacks_hd_app_player.pdfIn PDF document text
- https://cdn.sqhk.co/dakizenewa/jeibLBm/23154064628.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4455376/normal_5fe2a9333b734.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4498971/normal_6056aeb21b57b.pdfIn PDF document text
- https://cdn.sqhk.co/mafowixodi/dgjhchf/60839698310.pdfIn PDF document text
- http://ruwakus.22web.org/pesibivumemakeluzajun.pdfIn PDF document text
- https://cdn.sqhk.co/dowivita/7a7e9gd/viwewi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/47752b5b-90ac-49a4-9ac1-8bf5b95e10c5/hp_photosmart_plus_b209a_setup.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/51b55d23-5557-4ecb-80f9-42f3be809596/zofusugaxamubapu.pdfIn PDF document text
- http://bekepijamewevo.epizy.com/57799227026.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/464bf25e-3d90-488a-87a1-15a0f5880e1f/how_to_factory_reset_hikvision_camera_password.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e66552a-7d46-40f5-b734-68e323e84332/52148770625.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/89246773-d72c-4c4c-8441-4f1d711db168/tasco_trail_camera_review.pdfIn PDF document text
- http://mapesag.epizy.com/riginenulifu.pdfIn PDF document text
- http://zetafonetupusef.epizy.com/88076416268.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000111c7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x111C7 | 4864 bytes |
SHA-256: cf9dd033de460971ed48bca30ef6b54b4c00777a880b539176c8f7650d094796 |
|||
font_01_sfnt_off0001225f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1225F | 11760 bytes |
SHA-256: 2c5be887183adefd76df47a0e63ca8ab76ff709739ed750017f07ab19a2adfcc |
|||
font_02_sfnt_off00014a01.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14A01 | 4324 bytes |
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.