MALICIOUS
146
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded URLs and is flagged as a link farm on disposable hosting, indicating a phishing or redirection attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The document body, though heavily obfuscated, appears to contain search-related text, aligning with the lure to a URL that mimics a search result.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=what+size+tires+are+on+a+ford+focus PDF link annotation
- https://cdn-cms.f-static.net/uploads/4388177/normal_604ca1a9aefca.pdfIn PDF document text
- http://zagavexakagin.mypressonline.com/zoparob.pdfIn PDF document text
- http://kamikofonem.mygamesonline.org/jadesojaxaxifipisubarove.pdfIn PDF document text
- http://xomunuxeju.sportsontheweb.net/47296074049.pdfIn PDF document text
- http://nomokesus.sportsontheweb.net/midesigemetelokolorama.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4464532/normal_5ff8b452ee533.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4443602/normal_5fe461bf97414.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4447464/normal_5fceeee29f751.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4469106/normal_6021a251e1b77.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/0e40c4ae-fa83-4276-863c-d4106e7abb9a/78664353897.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bad10258-e05d-44c5-be3d-719c28c3e857/vuradadoxuselijumuzan.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f313f586-5a4d-49bd-a605-dd1d76f74ce5/21492744817.pdfIn PDF document text
- https://s3.amazonaws.com/wazagidonux/16879134652.pdfIn PDF document text
- https://s3.amazonaws.com/veledabejufi/mezaritage.pdfIn PDF document text
- https://s3.amazonaws.com/sefukirexuwekij/jopirigakaj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b4bf4e15-3b92-46e6-9347-6bca0256869a/94316861771.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/229ad7b6-265f-43ba-81f4-a5c91884ca65/padefujepepa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/acf20c37-c27f-4191-bc4f-84ec35eab6fa/61268544797.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/01fb2db4-7d10-4a1f-a746-0f4c732769f2/30039475550.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/39f23edf-e61a-470a-a2c8-e639f63d5c90/xetumupogulexisowal.pdfIn PDF document text
- https://s3.amazonaws.com/xifabilejilab/nagomidosekomugupaf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f5549603-a4dd-4512-b271-f7c7bba6abd3/masterbuilt_40_electric_smoker_brisket_recipe.pdfIn PDF document text
- https://s3.amazonaws.com/numegubowalonan/boosting_self_confidence.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b23bd97-15e4-4836-b747-489026cf9661/gas_pipe_line_installation_near_me.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fcba.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFCBA | 5140 bytes |
SHA-256: e2d745fd15a9d8b07dda767b2b5a7d12322606e63e2d932d22f331a9fbed803c |
|||
font_01_sfnt_off00010e43.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10E43 | 10848 bytes |
SHA-256: 23e34d33579aacaedd6c576a4b5ddbaed75a0d79c504ec5867dcd781e3c19928 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.