MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample is a PDF file flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It contains numerous embedded URLs, many pointing to disposable hosting, suggesting a phishing or link-farming attempt. The PDF structure and embedded content, though heavily obfuscated, indicate an attempt to redirect users to external malicious sites, likely for credential harvesting or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/wix?keyword=enthalpy+change+formula+reactants+minus+products PDF link annotation
- http://requiremcgood.com/how_to_hook_up_landscape_lighting_transformery1hud.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4459477/normal_5fefd39a224eb.pdfIn PDF document text
- http://pekuxareja.22web.org/business_communication_notes_for_bba.pdfIn PDF document text
- http://about-central.com/75313527200lulb7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4495707/normal_603aea76d79b4.pdfIn PDF document text
- http://ximuvitu.iblogger.org/76737043908.pdfIn PDF document text
- http://batut.space/goxovokikemt6cc.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382781/normal_6058715a665cd.pdfIn PDF document text
- http://birjand.design/ridax5xjag.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/f7ef95c0-5ed1-4ac1-8aab-51fc6cf5f17f/the_signal_man_story_summary.pdfIn PDF document text
- https://s3.amazonaws.com/xakapudakadu/zipajo.pdfIn PDF document text
- https://s3.amazonaws.com/gatazeromij/similes_and_metaphors_worksheets_for_6th_grade.pdfIn PDF document text
- http://xomeluwika.rf.gd/restful_web_services_tutorial_java_youtube.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b6679f8-00c2-4b57-9226-ecb341eb2c78/why_does_my_water_softener_not_work.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0b4ee395-5989-4444-89a8-70416e7d2dfc/acids_bases_and_salts_chemistry_worksheet.pdfIn PDF document text
- http://nadanopo.rf.gd/42248250918.pdfIn PDF document text
- http://kelawezup.rf.gd/astm_a370_17a_free_download.pdfIn PDF document text
- https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_bf0b00c60c4c419dadb1401b4aa883de.pdf?index=trueIn PDF document text
- https://dce579ed-4708-43c3-aaeb-2c76a6268d78.filesusr.com/ugd/944939_eb6d496553664eafb880e8970b1e71f0.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tidigudetefumof/jenn_air_ceramic_stove_top_replacement.pdfIn PDF document text
- https://56076a71-1b70-41e8-afe1-d547c394b4ee.filesusr.com/ugd/ab0d05_228009e7b70f4c0e9a492301411d723e.pdf?index=trueIn PDF document text
- https://8ac5c8e1-9174-427d-95c2-90bebb9f105a.filesusr.com/ugd/44b221_8beddd6410284d418115160dfc0e5a57.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d93e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD93E | 5508 bytes |
SHA-256: c6671873a1de8a425962b07fbade7d6aadaf96f94004e0d477209e7489559e18 |
|||
font_01_sfnt_off0000ebd2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEBD2 | 10816 bytes |
SHA-256: 9e7cbfaddcfba4911b5c0b51c2ccdbcb0c90ae99b7029e8343a591aaa52a4d65 |
|||
font_02_sfnt_off000110e8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110E8 | 4324 bytes |
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.