MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/123?utm_term=giambattista+valli+h%2526+m+size+guide PDF link annotation
- https://cdn.sqhk.co/xajevedu/jj0hbjf/jamubuxizerozefowavulu.pdfIn PDF document text
- http://jonezuno.22web.org/what_turbo_trainer_for_zwift.pdfIn PDF document text
- http://movizopolu.medianewsonline.com/fesiki.pdfIn PDF document text
- http://kinoogf.space/dabawipifo7wefi.pdfIn PDF document text
- https://cdn.sqhk.co/liguzalat/ifshgqL/c_a_ka_full_form_kya_hai.pdfIn PDF document text
- https://cdn.sqhk.co/lazemowul/JfCifW6/amazon_echo_dot_price_comparison.pdfIn PDF document text
- http://shoppingyxplus.xyz/ielts_reading_passage_the_eisriesenwelt_ice_caves_answersgx8rm.pdfIn PDF document text
- http://dawexefif.getenjoyment.net/hdfc_life_blue_chip_fund.pdfIn PDF document text
- http://fixmarker.fun/9944367804971iik.pdfIn PDF document text
- http://vinuporabomod.iblogger.org/goxovesus.pdfIn PDF document text
- http://zotikarida.medianewsonline.com/86923255370.pdfIn PDF document text
- http://bilkan.fun/20847937351mbpcf.pdfIn PDF document text
- http://labiosdewonda.com/468923604064tu8g.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/4ba870c8-9802-4630-aa86-7ce2c2f12c73/96557780400.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1a01330b-2989-4793-b284-1cfd5fe3dec6/kirkland_signature_premium_hearing_aids_reviews.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/48b7eb59-6f69-48e4-b1b1-d381fbc2f52a/27184464144.pdfIn PDF document text
- http://lelirovosas.epizy.com/credit_check_report_meaning.pdfIn PDF document text
- http://rapuzivawa.epizy.com/duxuxikewuri.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/60623b0a-a261-4a39-baf6-877039b53ae6/29898785043.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ccbc86d6-3da2-49fe-8a2a-15d61dc8bb41/lasipo.pdfIn PDF document text
- http://xitiwefebulu.rf.gd/examples_of_answers_for_behavioural_interview_questions.pdfIn PDF document text
- http://movuzawizigevej.myartsonline.com/sejedotufopaxuxusupeme.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62eb5c04-edbc-4c47-b7a5-6792baf1efe5/the_practice_room_discord.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a60702d8-b909-4292-874c-772667794b8e/xaraberosefawek.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000edf2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEDF2 | 4516 bytes |
SHA-256: c7d73ab61d65ed50ee4d429d33f25e31fb247e76a43f06dc1b6cb03c816a6fd8 |
|||
font_01_sfnt_off0000fd4c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD4C | 11620 bytes |
SHA-256: 156f9b482c10d1d03af085cb8a79c0f000d227987f1e93f911564dba3273a0de |
|||
font_02_sfnt_off0001235f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1235F | 4324 bytes |
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.