MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which are SEO-optimized and point to benign-looking documents, suggesting a link farm designed to obscure malicious activity. One prominent URL, https://jottigo.ru/strik, is directly associated with the document's apparent theme of 'Zmodo wireless security camera system installation', indicating a likely phishing or malware distribution lure. The ClamAV detection and ML classifier strongly indicate malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9960
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jottigo.ru/strik?utm_term=zmodo+wireless+security+camera+system+installation PDF link annotation
- http://wosozage.mypressonline.com/par_quoi_remplacer_la_mascarpone_dans_une_chantilly.pdfIn PDF document text
- http://ninuwekevap.scienceontheweb.net/fadezemilarikoturowe.pdfIn PDF document text
- http://sajutasure.22web.org/chottanikkara_songs_free.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/dufekifaral/cakewalk_sonar_8._5_le_software_free.pdfIn PDF document text
- http://telawusufolij.epizy.com/dariwibawipoxub.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cb5468b5-b4bb-4354-94bb-00bd79a692cc/french_past_tense_irregular_verbs_etre.pdfIn PDF document text
- http://pelebirepopo.onlinewebshop.net/modern_day_haggadah.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6ef41fdd-639c-4065-9d98-5cc4817d3400/miviteguxofepodudaxebefid.pdfIn PDF document text
- https://75a697d3-84f0-44cf-bab9-f05e37020c50.filesusr.com/ugd/7c3584_bcea5eac59674d249a42554cc197ce96.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/vogubivajavofu/32002455563.pdfIn PDF document text
- http://wadekazu.epizy.com/apush_antebellum_reform_dbq.pdfIn PDF document text
- https://s3.amazonaws.com/jezekemunidup/fix_you_chords_piano_sheet_music.pdfIn PDF document text
- https://s3.amazonaws.com/fotepopunaj/trust_deed_template_nz.pdfIn PDF document text
- https://836291d8-7b77-40db-be8c-3105928c7ef3.filesusr.com/ugd/aae074_404f5f7baef949e79df02cb154f0f62b.pdf?index=trueIn PDF document text
- http://zejibanunepi.myartsonline.com/35315580314.pdfIn PDF document text
- https://s3.amazonaws.com/vapelurowar/pibekujosuwijuru.pdfIn PDF document text
- http://lijowavatajo.myartsonline.com/the_complete_book_of_catholic_hymns.pdfIn PDF document text
- https://f421159b-d329-41e8-bc42-072bc93e4c50.filesusr.com/ugd/65d6f7_ec970768b86e47dcab45b2d7b98e57a9.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6c58f4a1-a065-4bc5-a291-e4932e0138cf/udemy_free_digital_marketing_course_in_hindi.pdfIn PDF document text
- https://s3.amazonaws.com/febopa/adanga_maru_full_movie_cinemavilla.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f8b7be14-4532-4576-aa8a-093a23d7ad04/veterakopinum.pdfIn PDF document text
- https://s3.amazonaws.com/farezelof/linab.pdfIn PDF document text
- https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_449ddba568164d6d8ab07e492863057b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/pululusodogi/bewetoxemotepexevem.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0164c0a1-c4ad-4552-a622-fd8afb71cbdc/how_to_make_canola_oil.pdfIn PDF document text
- https://a2c67b61-a01d-4053-b7ad-f1487bca8054.filesusr.com/ugd/24853a_f5fe2d3823d540bda7e89c5aad697f77.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f214.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF214 | 5236 bytes |
SHA-256: 43108fd6011acaabd88a14a7ac02c8406dd8aae2df3ef1aaf412ced02e50700b |
|||
font_01_sfnt_off000103e5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x103E5 | 10836 bytes |
SHA-256: c5f9ec2cc10a2be6bef5c0780e002ea037ffa5e6aa04b2d3a2b33b86c994d29b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.