MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, with a critical heuristic firing for a 'PDF_SEO_LINK_FARM'. One of the primary external links identified is 'https://bologen.ru/wix?keyword=even+odd+identities+calculator'. While no scripts were directly extracted, the presence of numerous external links and the ML classifier's high confidence score suggest a malicious intent, likely related to phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bologen.ru/wix?keyword=even+odd+identities+calculator PDF link annotation
- https://static.s123-cdn-static.com/uploads/4421473/normal_5ff367fc9548c.pdfIn PDF document text
- http://particulieres-societegenerale.best/64615012382vvbq6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4460247/normal_602ca19ddfa96.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489733/normal_601f80f89ca5e.pdfIn PDF document text
- http://dfds.in/repair_service_for_kenmore_refrigeratorstgda.pdfIn PDF document text
- http://kuxufijum.iblogger.org/counting_by_tens_worksheets_grade_3.pdfIn PDF document text
- http://pasetbs.xyz/harlan_ellison_i_have_no_mouth_game08val.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4484835/normal_6016c3e01fa87.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://buwanizun.epizy.com/limiting_reactants_11._3_worksheet_answers.pdfIn PDF document text
- https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_e8f7bd3f8b824497b913db2c9380273c.pdf?index=trueIn PDF document text
- https://9fc80a0e-b25b-4135-afeb-9811a1ea6bf8.filesusr.com/ugd/91e123_840a2f4c96dd4e20a609bc62a9ad036f.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/lorifawuvawot/jegesatib.pdfIn PDF document text
- https://s3.amazonaws.com/gomakobez/lapizunevef.pdfIn PDF document text
- http://wixudilasajigil.rf.gd/resumen_libro_ciudad_de_las_bestias.pdfIn PDF document text
- https://s3.amazonaws.com/lokijuronig/alien_shooter_2_reloaded_trainer.pdfIn PDF document text
- https://8d59741e-369e-44be-b01e-8fbcb09d2d01.filesusr.com/ugd/7cefa9_823b5beb8fcb43648e254f3433db23d8.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/popilo/gujoxafewodo.pdfIn PDF document text
- https://94aa8f26-b07a-4c24-bdb4-4112657565c9.filesusr.com/ugd/37428b_55d9453f9c9c48acbe5986332b050d02.pdf?index=trueIn PDF document text
- https://ba428ff1-d53d-4eb5-bdb2-cc960067f420.filesusr.com/ugd/7041e4_c68d62a0a5eb4d93abdf2c8a72caf905.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/kufazete/company_of_heroes_legacy_edition_fullscreen.pdfIn PDF document text
- https://237a2310-9536-43ad-add1-fe73b840a51a.filesusr.com/ugd/8b319d_a785fe24ed7e4b7f85b5769023d1ad71.pdf?index=trueIn PDF document text
- http://lelisavebak.rf.gd/android_auto_apk_mirror.pdfIn PDF document text
- https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_9a54b4f28f5740f29bff1f47204a3d21.pdf?index=trueIn PDF document text
- https://8319d365-0190-44ee-b2f3-e76f6fd230eb.filesusr.com/ugd/112488_c16659430b514fe68c2517b4c7116a50.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e9ab.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE9AB | 4948 bytes |
SHA-256: a4cbe957968e1106b419d0bc4c94a2a85bc6f74d8593b2dd8c29c0ad28426b84 |
|||
font_01_sfnt_off0000fa96.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA96 | 12420 bytes |
SHA-256: 67ca2af361966aefee48dda8fa21dd0ee0c1ba57735b3b1c92a02520c98cee6e |
|||
font_02_sfnt_off00012542.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12542 | 16124 bytes |
SHA-256: 4de7a4a107495d8a371c2593c685a567c8b890c2ace75fda898322b6a37796e4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.