MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9948
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://leonvi.ru/strik?utm_term=literary+devices+list+high+school PDF link annotation
- https://cdn-cms.f-static.net/uploads/4377377/normal_5fd2de6bb4dce.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4464524/normal_5feb179c8493e.pdfIn PDF document text
- https://cdn.sqhk.co/girewobo/ihfARif/school_life_simulator_app_store.pdfIn PDF document text
- https://cdn.sqhk.co/fukaxaxod/Kgezje1/music_arts_westerville_oh_43081.pdfIn PDF document text
- https://cdn.sqhk.co/zubavagi/lngfgdk/sapar.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4473062/normal_600985062c532.pdfIn PDF document text
- http://gezudozu.iblogger.org/15988901359.pdfIn PDF document text
- http://wikatugakuvifi.iblogger.org/rawakufisesolewu.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4366381/normal_600777b84ee67.pdfIn PDF document text
- https://cdn.sqhk.co/bizujutenifo/jihihdn/fuxozarijakavubiridobenuk.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476301/normal_5fed3600eb5de.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/82e39155-bd86-42b9-b405-9d569834e08a/47725108296.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6775c370-7a4d-429c-9e6e-6c5953cbf6ca/61253057963.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c2d82e8c-4109-404a-a9d6-162dcd931d0a/throne_of_glass_box_set_amazon.pdfIn PDF document text
- https://469ee322-798e-4c1d-9571-af6764901f97.filesusr.com/ugd/57169b_b305831489a54a7980547ac3dbf50b36.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c68444c0-45ab-42a9-8679-f9f881d7185c/vinijojuvuj.pdfIn PDF document text
- https://03ca3561-abfe-48ca-9b59-b1b2b77f8126.filesusr.com/ugd/1af49e_0bc562aaec8648be87d818f69cc270d1.pdf?index=trueIn PDF document text
- http://jusaketij.rf.gd/97019767278.pdfIn PDF document text
- https://c36efdde-2309-4ce2-a10d-b6df2ce12cd8.filesusr.com/ugd/e98059_0d0ba407653a41e0a39f1fcbf383ab14.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6181eb13-4341-47cb-bdfa-2c8b0df73388/31454369833.pdfIn PDF document text
- http://xofunuxemijowex.rf.gd/angle_of_depression_worksheet_with_answers.pdfIn PDF document text
- https://46b09160-81f9-4cb3-9cca-f7b5b0c0229e.filesusr.com/ugd/179cc6_6bbd32f04d8c477f93d7fc776fb35a07.pdf?index=trueIn PDF document text
- http://tanadumowijilum.rf.gd/jorge_luis_borges_labyrinths.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9cefdcb3-3c6c-4a58-8eb7-ca4d9456a7a0/keurig_k10_not_working.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/34167ac5-a25d-4772-9cd6-403714691254/when_did_christianity_spread_in_rome.pdfIn PDF document text
- https://8eeb1f0a-0cdd-4c66-98a4-83777b49fb54.filesusr.com/ugd/64f9d2_5adfcecf31ca474b93a2f97f83be06fb.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/7f090b65-b373-492f-b325-4a636fad4643/the_importance_of_being_earnest_summary_shmoop.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012692.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12692 | 4984 bytes |
SHA-256: e81cb67d6b821a7ab59f5e79dc5deef754e4ffc2f9119635d54d946b56e7fddd |
|||
font_01_sfnt_off000137a3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x137A3 | 10564 bytes |
SHA-256: d31e566be755a86a316086e20fd205af66edc6fbed7936459ef42c682a411084 |
|||
font_02_sfnt_off00015ba8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15BA8 | 4324 bytes |
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.