MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains a large number of external links, identified as a link farm, designed to redirect users to various malicious PDF files. The document's content and the presence of numerous external links suggest a phishing or scam attempt, likely to trick users into downloading further malware. The ClamAV detection and ML classifier further support the malicious nature of this file.
Machine Learning
- Nyx PDF Classifier malicious score 0.9452
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/award?keyword=bordereau+de+paiement+cnss+vierge+pdf
- https://jibogikufojubu.weebly.com/uploads/1/3/1/4/131438018/9108947.pdf
- https://bafokaxaxex.weebly.com/uploads/1/3/4/8/134881351/4fa9d88ec75.pdf
- https://taduravepe.weebly.com/uploads/1/3/4/7/134714340/furelokewaxuli-pelukutebu-lemotikenaka-besinosijot.pdf
- https://sixagezox.weebly.com/uploads/1/3/1/6/131606695/989007.pdf
- https://static.s123-cdn-static.com/uploads/4392658/normal_5ff984c755ca9.pdf
- https://cdn-cms.f-static.net/uploads/4388282/normal_606245a6bd0d8.pdf
- https://static.s123-cdn-static.com/uploads/4417983/normal_5fc5afad8e4e7.pdf
- https://cdn.sqhk.co/sozaxejiv/MKGEicP/kontraband_store_kylie.pdf
- https://cdn-cms.f-static.net/uploads/4459170/normal_600f9d36b8783.pdf
- https://cdn.sqhk.co/sabepakofo/dpxibh6/jemetef.pdf
- https://xobijetulotifo.weebly.com/uploads/1/3/4/2/134234675/mevatax_motegofo.pdf
- https://cdn.sqhk.co/dutimapo/jhjjfHb/vmware_horizon_view_client_mac_multiple_monitors.pdf
- https://cdn-cms.f-static.net/uploads/4378605/normal_604cd12a1602b.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://8eccd3b7-fb20-4588-a5b5-4d8c58591879.filesusr.com/ugd/0e6328_997ca80a780743bb8317529b161f0afe.pdf?index=true
- https://c93ae04b-3d95-4128-ac62-0503c91a26e1.filesusr.com/ugd/002f5e_a9c6349864124bb4ac74f132a14b825a.pdf?index=true
- https://s3.amazonaws.com/fizup/azar_app_hack_mod_apk.pdf
- https://s3.amazonaws.com/zozofufulolig/greatest_love_story_piano_sheet_music.pdf
- https://6afed14e-2b01-442b-8c2e-11a8a6f39965.filesusr.com/ugd/46a5ae_76761717afe9493587a31ef0ceaba437.pdf?index=true
- https://835a0401-7144-467e-aacc-710587930ffc.filesusr.com/ugd/432cba_b4477453b6c649ec86c2e0aafa166c12.pdf?index=true
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e66c.bin0faf39f4d609799192b0cf20255078f888b4cd2225392ed3c54af161629b8a5f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE66C | 5432 bytes |
font_01_sfnt_off0000f8d7.bin7b2745f9f17527e794db75ff30102cdd6caba3fda48514b4a6077aa651376bf2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF8D7 | 11752 bytes |
font_02_sfnt_off00011f20.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11F20 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.