MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple embedded URLs, with one specifically pointing to a suspicious domain ('nomylo.ru') that is likely part of a phishing or malware distribution scheme. The 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic indicates a pattern of using disposable hosting for link farms, further suggesting malicious intent. While no scripts were directly extracted, the overall structure and URL usage are indicative of a phishing lure, likely delivered as a spearphishing attachment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9565
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nomylo.ru/pbw?utm_term=fnaf+ar+special+delivery+guide
- https://piziwola.weebly.com/uploads/1/3/1/3/131382430/3fda6ff8.pdf
- https://cdn-cms.f-static.net/uploads/4469105/normal_601958fc69629.pdf
- https://roguxewotare.weebly.com/uploads/1/3/4/3/134319265/b52cb9534cb5bff.pdf
- https://vevinobe.weebly.com/uploads/1/3/4/4/134487659/6194474.pdf
- https://cdn-cms.f-static.net/uploads/4374963/normal_60610ca681c2f.pdf
- https://jakugogafezokev.weebly.com/uploads/1/3/1/4/131437362/74b8c0878dff.pdf
- https://sopulekazixov.weebly.com/uploads/1/3/0/7/130776801/6985250.pdf
- https://ganupedudajoz.weebly.com/uploads/1/3/4/5/134586443/4671c1580508eba.pdf
- https://fotelosalif.weebly.com/uploads/1/3/4/4/134463398/razefifid-sorilofosu-logav-luzolur.pdf
- https://kivuxobusev.weebly.com/uploads/1/3/1/8/131871605/wosiguzizawazizaxele.pdf
- https://cdn-cms.f-static.net/uploads/4488336/normal_600e5a87d5f24.pdf
- https://cdn-cms.f-static.net/uploads/4476580/normal_606b418a1dbce.pdf
- https://cdn-cms.f-static.net/uploads/4365586/normal_6009fe1cdb275.pdf
- https://nefarixuk.weebly.com/uploads/1/3/1/4/131407944/4637942.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://buvavipoluvu.pbworks.com/f/how_to_write_an_email_requesting_job_shadowing.pdf
- https://uploads.strikinglycdn.com/files/96d7a8d8-50aa-4999-b753-a501aecba44e/problemas_de_proporcionalidad_y_porcentajes_2_eso.pdf
- https://uploads.strikinglycdn.com/files/e7d0cfe3-6105-429c-bc1f-91959f4dbc55/55043133714.pdf
- http://negaboxa.pbworks.com/f/ziwosabodilakexu.pdf
- http://wuwazilizos.pbworks.com/f/pogelipajat.pdf
- https://uploads.strikinglycdn.com/files/55e29ddc-b5b7-4bd7-a16c-0c56860dd08b/what_would_cause_dryer_not_to_heat.pdf
- https://uploads.strikinglycdn.com/files/511de17c-153a-4e31-9475-6cf06ec0ff70/54451284384.pdf
- http://xosufixemuf.pbworks.com/w/file/fetch/144433782/why_school_uniforms_should_not_be_worn.pdf
- http://scripts.sil.org/OFL
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ec93.bin46b9643d1eb0ee52edf1ef553b034865bcc164dd72cd7b2332e36fa78ef6338c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEC93 | 5440 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.