MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing or trojan variant. It contains multiple embedded URLs, with a high-risk heuristic identifying one as part of a link farm on disposable hosting. The document body, though heavily obfuscated, contains text that appears to be a lure, directing the user to external sites. No scripts were extracted, but the presence of external links and the nature of the heuristics suggest a phishing or redirection attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/strik?utm_term=what+did+this+political+cartoon+mean PDF link annotation
- http://italywow.pro/wii_u_error_code_103_1401tp5cc.pdfIn PDF document text
- http://samaraexpo.com/dojuxosajl8bkt.pdfIn PDF document text
- http://bapitafi.22web.org/neoplasia_pulmonar.pdfIn PDF document text
- http://ketadiets.site/69562253137lxq4o.pdfIn PDF document text
- http://moymagazin.xyz/metro_last_light_play_orderz7r3h.pdfIn PDF document text
- http://vulgargirls.fun/vovatawelekenixitm9r.pdfIn PDF document text
- http://piwulag.sportsontheweb.net/logistics_manager_interview_questions_and_answers.pdfIn PDF document text
- http://mosomupusafebin.medianewsonline.com/mugazotejufu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/392d065a-c1c7-44c4-90ec-e123d9503120/68475498526.pdfIn PDF document text
- http://tiruweditivunaw.myartsonline.com/87496518955.pdfIn PDF document text
- http://vanobibufasapes.rf.gd/service_pack_3_windows_media_player_version_10.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d0104757-049c-464d-bbce-d36808e16626/39432664364.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/45b40db6-1ac8-4503-b16e-f2301eeb6632/scott_mueller_upgrading_and_repairing_pcs.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/802fba38-6015-4777-94e3-0dc426199cdc/69385084251.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8b8f872f-56c6-4a92-a201-69a2ed7c6777/butefapofudifepixa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e4047f0d-3271-4d84-9540-6c48d0fabb2e/sharp_carousel_convection_microwave_cookbook_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e133bc48-060b-43e4-b8ab-92888737b3b9/nekupexafove.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4bb6960f-e3cd-4c79-9849-debbd9e06d48/pagituzagevurunilu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/526ef48b-bfad-4162-ba82-baa00f4ad06d/sanyo_dp26649_remote_app.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f1844a95-2185-4b99-bf80-289670227e20/what_are_the_nursing_diagnosis_for_hypertension.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28a81488-603c-4454-9b0b-f9c24d83338f/vuxelabavexegenefizosa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/03b01296-3ae7-484c-beb5-64e53d8de0e0/how_many_questions_are_on_a_permit_test_in_alabama.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f636.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF636 | 2900 bytes |
SHA-256: 10a07fc969e6c8cf41398fcfefa625e426b29a45b33f3716d0886db1405c0d2a |
|||
font_01_sfnt_off00010079.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10079 | 5324 bytes |
SHA-256: dd19efbb81407e19c068cffd380e927ee2e0c403822986fc6316c153b2f8d14a |
|||
font_02_sfnt_off00011278.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11278 | 10368 bytes |
SHA-256: 0ec4921a82d719abc71a8da0fac0649ad1b3874bce2352314350f85391f7a693 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.