MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was identified as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external links, suggesting it is part of a link farm designed to drive traffic to other sites, one of which is a suspicious domain 'baarspo.ru'. The presence of a 'download' button lure further supports a phishing or scam objective. No scripts were extracted, but the overall structure points to a malicious document delivery mechanism.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/award?keyword=berys+gaut+pdf PDF link annotation
- https://static.s123-cdn-static.com/uploads/4384142/normal_600108dce90ba.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4408881/normal_602d5b3bdf0e1.pdfIn PDF document text
- https://cdn.sqhk.co/zivupowixede/bGjeRij/36887350553.pdfIn PDF document text
- https://cdn.sqhk.co/bekutojeke/jXjIjbx/death_city_zombie_invasion_hack_apk_download.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4504922/normal_6058756b9fdd7.pdfIn PDF document text
- http://lobabinuladeri.medianewsonline.com/11490238239.pdfIn PDF document text
- http://damomemisogadex.iblogger.org/betexenizosuvogix.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4407810/normal_602708654d53f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4366359/normal_5fdf304bd36aa.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/d5041b2e-934d-49ea-a775-035461faef99/94700281533.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fdf0962d-fa2f-417b-bdb3-5e04941f3a9d/72118157557.pdfIn PDF document text
- http://solobasoridevel.epizy.com/polonilerip.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5bd7ca72-d159-4ed2-aecb-e8867976638d/zejofaniva.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cc012dc6-e51b-47da-bbd1-2b955391664f/gurubejobe.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9eafc4c1-ff8d-4680-aa6e-da0e58b0c319/delta_22-540_planer_parts.pdfIn PDF document text
- http://rokusagotigenov.rf.gd/texararune.pdfIn PDF document text
- https://c4a5d104-04f9-44e6-b03f-1f5edac3680f.filesusr.com/ugd/f23921_42d3a943712442bf8e50c2ac09aafe32.pdf?index=trueIn PDF document text
- https://e0d0d77b-4c00-4265-bc22-f0cc5cf11ada.filesusr.com/ugd/957eb4_e4f69b2f33f6415abe94c22fcb115709.pdf?index=trueIn PDF document text
- https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_72de2bb0dc4348b9816266661f842f95.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ddbf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDDBF | 5328 bytes |
SHA-256: 65a3507ab5c6de0e6912ca2c9edc34faaacf29ac78692832ce1618540148b469 |
|||
font_01_sfnt_off0000efff.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEFFF | 10644 bytes |
SHA-256: f6fdd6a73afead609e632d724ed3c29001300cadedba62965f77187199cfab44 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.