MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many hosted on disposable domains, indicating a link farm designed to distribute traffic to potentially malicious sites. ClamAV detected this as Pdf.Phishing.Trojan, and ML classification yielded a high probability of maliciousness. The presence of embedded URLs and the nature of the link farm suggest a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://resalured.ru/aws?utm_term=ameritron+al-80a+schematic PDF link annotation
- http://retys.fun/ignou_date_sheet_dec_2019_bca28iar.pdfIn PDF document text
- http://garant-ritual.online/12831741129wy7sc.pdfIn PDF document text
- http://jarowulizose.sportsontheweb.net/texas_instruments_ba_ii_plus_professional_battery_replacement.pdfIn PDF document text
- http://reduslimitalia-ufficiale.site/bang_rajan_2_full_movieh5wmj.pdfIn PDF document text
- http://ins.expert/toro_824_snow_thrower_manualc0b97.pdfIn PDF document text
- http://xuxetosufuzo.getenjoyment.net/the_boy_in_the_striped_pyjamas_full_movie_in_hindi_download.pdfIn PDF document text
- http://ita-yog.space/how_much_does_a_military_officer_get_paidzvv9y.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.opentle.orgIn PDF document text
- https://da99f664-88c7-4a27-98aa-0bbcec2e8f57.filesusr.com/ugd/66f3f9_473719c4f83c408c8174e4d8262b085f.pdf?index=trueIn PDF document text
- https://089130c0-62ae-4bf1-a93c-656440fe8451.filesusr.com/ugd/738632_5f1b1832317845e589bad7171fdc040b.pdf?index=trueIn PDF document text
- https://4de1274e-a26b-4e71-a0d1-d86f0cfee7ee.filesusr.com/ugd/ee4d88_3289c77a9f7a43819e8420b33b172b71.pdf?index=trueIn PDF document text
- https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_ad210eec78904ae1ac508d2c930fc447.pdf?index=trueIn PDF document text
- https://d62ff7d9-aefc-4ab8-8cdf-af38868aea16.filesusr.com/ugd/54b9a1_92cd62dfd81d4ccba34e01c9cb02e5fb.pdf?index=trueIn PDF document text
- https://69c5641f-197a-42c1-bef1-daa502c1f1d7.filesusr.com/ugd/948cea_d188d3de3cff4e4ebfeacb75a1d18265.pdf?index=trueIn PDF document text
- https://ee897e78-a157-4eb5-8a47-d615096087a2.filesusr.com/ugd/113e89_21ce35b25c4b463784ffbd22d96f4f7d.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/35907d3b-b0c3-4eae-bac3-0ae42fc5e185/gaguvawidozokajunazexag.pdfIn PDF document text
- http://gaxilitexu.onlinewebshop.net/how_to_tie_loop_knot_with_braid.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9ead5fe8-e3be-41da-b01c-c3a4fd4e0c35/89206402527.pdfIn PDF document text
- https://121f8fc1-d270-4171-a721-8ccd656fc20f.filesusr.com/ugd/2ca22b_76a358350c30438695e6d8a54535b8a9.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a7fab6e2-5721-4da7-9d1b-787ec58704b1/27431705005.pdfIn PDF document text
- https://40fd9d30-e691-4ad4-9ff9-7de67b304886.filesusr.com/ugd/45b27a_c1cc359174d34342a491c5038fdc4e00.pdf?index=trueIn PDF document text
- https://0b46dc67-b6bf-47f6-be73-9cc337a8c672.filesusr.com/ugd/4fb05f_ed70b9757d0f44839da5f7c3a7a087f8.pdf?index=trueIn PDF document text
- https://35479656-6a94-44d6-ac55-da507c14a2ae.filesusr.com/ugd/d68318_21a215a0d9f743d38ae112084091f6fa.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/7fa3a08f-20dd-42c7-8ed1-8f17264d11bd/jadezulabodidetotozeba.pdfIn PDF document text
- https://3485775d-af35-4505-8fb4-f6750f575e04.filesusr.com/ugd/42f18e_471e9783c9654720848a195bfff307d7.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dee1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDEE1 | 5396 bytes |
SHA-256: c8d131d2a3eaa04bf9fa18dcc46d5a448a8ceca735578a0dd6f2dfdc63763994 |
|||
font_01_sfnt_off0000f102.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF102 | 6068 bytes |
SHA-256: b5e6e0f87be606f5fabecc4569233ad57d2d8395b2d44fa4cdd6ca511bc5efac |
|||
font_02_sfnt_off000100b0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x100B0 | 10488 bytes |
SHA-256: 544ca7f1c2ae3749cc22786375c4cd0b9acd342784d30907ef4bf1e63cc7e714 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.