MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains heuristics indicating it is a link farm on disposable hosting, designed to redirect users. The embedded URL and the document body suggest a lure for downloading content, which is a common phishing tactic. ClamAV detection further supports the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 0.6803
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nipisod.ru/strik?utm_term=lord+of+the+rings+all+parts+download+free PDF link annotation
- https://cdn.sqhk.co/kujufemom/DhbFjcl/583760578.pdfIn PDF document text
- https://banafazag.weebly.com/uploads/1/3/4/3/134325205/9ce87b9a3ac3cd6.pdfIn PDF document text
- https://cdn.sqhk.co/mafulavet/aYjSihf/strategy_consulting_internship_interview_questions.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4411252/normal_5fdd310bf0575.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378853/normal_6056d8afb923d.pdfIn PDF document text
- https://cdn.sqhk.co/milibotobov/G1h4Shf/hill_climb_racing_glitch_2019.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418399/normal_601b7f18d4698.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4409819/normal_603cecd68dd39.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4483070/normal_5ffa8c3abf11f.pdfIn PDF document text
- https://xamubamujizej.weebly.com/uploads/1/3/1/4/131483378/fedilojuvowaxedu.pdfIn PDF document text
- https://cdn.sqhk.co/nilimijano/h1icRAD/real_gangster_crime_simulator_2019_mod_apk.pdfIn PDF document text
- https://selilanabos.weebly.com/uploads/1/3/4/8/134875664/2951566.pdfIn PDF document text
- https://cdn.sqhk.co/wiwokosokif/b0lDgc4/69635232783.pdfIn PDF document text
- http://fedorahosted.org/lohitIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.opentle.orgIn PDF document text
- https://uploads.strikinglycdn.com/files/aa347d45-986e-489d-964b-e06ad76ab0b0/53848288123.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/690a7104-950a-40ab-a285-fd70ce926bf9/how_to_solve_enthalpy_change_problems.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f9f87d44-0fd5-407d-ab91-e9cd3524f8ca/beats_pro_solo_review.pdfIn PDF document text
- https://6674166f-eb58-46b1-9d38-a528bc95e02c.filesusr.com/ugd/e38d8e_1d0e6265369a44738a52fd88ae3c0cf6.pdf?index=trueIn PDF document text
- https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_425bc7929f7649309f80b8dd2af70583.pdf?index=trueIn PDF document text
- https://5de9ed01-d610-4143-94db-6f998645a8ce.filesusr.com/ugd/1d8bf6_0eaa8d16232746949ed44bde9285a673.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f627d61e-dea0-4c26-92c3-53d53c4aace2/35001770030.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/33bf5f55-390b-4cf3-841a-f2edb6999a94/38867577900.pdfIn PDF document text
- https://27f1a270-5048-4778-87f0-574dfe85248a.filesusr.com/ugd/b7306e_b0b853cacc7e44378cd0dbfee22fdf86.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- https://savannah.gnu.org/projects/freefont/In PDF document text
- http://www.gnu.org/licenses/In PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
- http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
- http://www.gnu.org/licenses/lgpl.htmlRegularDanhHongIn PDF document text
- http://www.geocities.com/dnhhngIn PDF document text
- http://sinhala.sourceforge.net/In PDF document text
- http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
- http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0001e08e.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1E08E | 4152 bytes |
SHA-256: 3e00007926d71a15434e4067e84115ccac73cc82275ae807f27a22dd16a487f4 |
|||
stream_015_off0002ad0d.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AD0D | 26188 bytes |
SHA-256: 0f00e0f2cb623b48d5030d045f5f8a0f3054f83c3448b045a894bfc1d1d5df27 |
|||
font_00_sfnt_off0001a19d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A19D | 8968 bytes |
SHA-256: 3e679317895732371a3faa046e3928e484725a1d920cdf47c262ea5de7ce8b20 |
|||
font_01_sfnt_off0001b8f4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B8F4 | 6188 bytes |
SHA-256: 8b29cebf5aa19688230e00b701c1086dc993e705f4d80d0f08ab64743a4e80ae |
|||
font_02_sfnt_off0001ce59.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1CE59 | 5336 bytes |
SHA-256: 9ff1205c2d1a6b9e14c0b94b88633540470ab294a73550e9abfa3195daf37bc2 |
|||
font_04_sfnt_off0001efa6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1EFA6 | 5220 bytes |
SHA-256: 6899069e074361ff9ae708c8938aab8e9cfc0086f4cad1e18bedb901cd4f4ac6 |
|||
font_05_sfnt_off000200cd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x200CD | 6704 bytes |
SHA-256: be65d23da9085eebde270cf50bae662999da9bad1f88d04c35f347e763800b1d |
|||
font_06_sfnt_off0002141d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2141D | 3856 bytes |
SHA-256: 9e1d20c9c767db21051d39ab341d57e975972d26d8acc6cd24c097221bb46082 |
|||
font_07_sfnt_off000222ba.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x222BA | 3576 bytes |
SHA-256: fb25a5190e71ae4b4d0233f2ecc5e3ace0835e2457237484fcac97ca6d740ff8 |
|||
font_08_sfnt_off000230c8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x230C8 | 7320 bytes |
SHA-256: bcd6ee395b23653991fcfd2ad4e93d0518038c5713fea0d29b144a22cb193c05 |
|||
font_09_sfnt_off000247ce.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x247CE | 3668 bytes |
SHA-256: cadb482540265dfbf985d6c8a20a1b6cb5cf296f080c60da894f9023e01a307e |
|||
font_10_sfnt_off000255f4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x255F4 | 7376 bytes |
SHA-256: 6c8d76523fc731797468ff22f50887c772797c1cccd158ee346419ca21b0e14e |
|||
font_11_sfnt_off000269ec.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x269EC | 25416 bytes |
SHA-256: 51b0d56fe4ce000ea197386bb57ab4d372f455e084a47e2c090bcac90703e77e |
|||
font_13_sfnt_off0002e15b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2E15B | 4420 bytes |
SHA-256: 24f9e86b3c3d88b1c8f1c37a60b109569290bf3b0c9903c4473384ee93791f65 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.