MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses an invoice-themed lure. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dugedepap.ru/123?utm_term=log+sheet+template+google+docs PDF link annotation
- https://cdn-cms.f-static.net/uploads/4495262/normal_603d6d84bcf56.pdfIn PDF document text
- https://xigefazevape.weebly.com/uploads/1/3/4/6/134632801/lapadoxebelume.pdfIn PDF document text
- https://jomefexud.weebly.com/uploads/1/3/4/7/134732593/9241431.pdfIn PDF document text
- https://dozofuwel.weebly.com/uploads/1/3/5/9/135960373/3419045.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476580/normal_5fe14affcced8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370785/normal_601046d429903.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4492573/normal_6054652a1c341.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/2e6e3cef-fb8b-40ce-81ff-2ab9d829da40/what_are_the_46_books_of_the_old_testament_in_order.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1fadf4ef-b2ee-4aff-867c-8aca478123ac/45918504197.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f7f5047f-cc42-4e0a-8117-9fe327b57d5d/love_in_the_time_of_cholera_analysis_essay.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/447e3d4e-ff25-45fd-8c98-f439d2af010c/how_do_you_check_the_manual_transmission_fluid_in_a_chevy_s10.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c6512fe3-58da-4c79-96c2-3bb5c07676a6/58603593157.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cf5fead8-3d68-41af-acc6-9451690dcb0e/lux_tx1500e_fan_blinking.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b829f6a-a353-42ed-8e33-ae61a53c8096/how_to_insert_a_tick_in_document.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01de3793-5de6-4b4e-aa3f-ff40a6258560/72571291386.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62e07510-cffa-43c9-930c-0e7313362b4f/92086374254.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/129b076a-20a5-4db0-b9e7-c83326527a7b/puwedalafebuzojitogejubi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1bf4c73e-d17c-4d4d-b2c4-3b43b40a7d13/19958394496.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/29297c73-a3ee-4a49-b93b-e1995d04a9ba/nosupu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/85bd539f-ce2e-4236-99d4-859065d5373f/gilitisusenafadovatufop.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/af8f6b7f-5e00-4180-8e57-7dc8fe1c97f2/10_steps_to_successful_breastfeeding_poster.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3724eb1e-7868-4321-913c-d165c67e5127/camino_de_las_lagrimas_jorge_bucay_resumen.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b5179a20-8f2b-4a41-ba4f-85a8e31ef88d/penofuf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f39a383f-1696-4423-a424-ae470c49bf87/how_to_use_gimp_2020.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fae7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFAE7 | 5332 bytes |
SHA-256: cbac8073612b2e9ba9740f9e97b4ce592a8e38c5fd7c4a0a143fd9160099d54c |
|||
font_01_sfnt_off00010cec.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10CEC | 10532 bytes |
SHA-256: b8fd519418eaf52535cb89de094ae7d28ca4a8aea113da3e3cb7021e41663d42 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.