MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/strik?utm_term=the+life+we+bury+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4454167/normal_5fdab6ffedb4f.pdfIn PDF document text
- http://nateribebomulaz.medianewsonline.com/gnss_surveying.pdfIn PDF document text
- http://kawafopi.mygamesonline.org/robekedufab.pdfIn PDF document text
- http://juxowupekabaf.mygamesonline.org/mentes_geniais_alberto_dell_isola.pdfIn PDF document text
- http://taxokijoba.sportsontheweb.net/gotowogomolebu.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382614/normal_6019a0f12a14b.pdfIn PDF document text
- http://kijekidajefi.getenjoyment.net/27815488234.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/da6d9012-a440-46f5-b653-14e5292246a6/does_verizon_work_with_straight_talk.pdfIn PDF document text
- https://s3.amazonaws.com/xowasosuf/mamiya_rb67_pro_sd_lens_adapter_ring.pdfIn PDF document text
- https://ce55c564-0e79-48ac-bd91-a034cff8554b.filesusr.com/ugd/bd1fc0_92a80983a60c4c8abe7e339e4dea2ac0.pdf?index=trueIn PDF document text
- https://4328a374-8b5c-4134-9cef-e132ca5fc89d.filesusr.com/ugd/6732b1_0ba16935603e47dead3bccf8b755d2fe.pdf?index=trueIn PDF document text
- https://78905da9-dd21-4190-abaa-c894c042e703.filesusr.com/ugd/851c7c_499794cbd586499bbfc65a8817628206.pdf?index=trueIn PDF document text
- https://170a7d3c-74f0-42f5-9ead-98ae292a4922.filesusr.com/ugd/a18aa6_4f0c9fe61b934402a96946e9b02f5997.pdf?index=trueIn PDF document text
- https://9d76d0c6-5807-43ac-a2ba-7b4112d1a20a.filesusr.com/ugd/5cd33b_12e59d06d42a4466a525ea653e332363.pdf?index=trueIn PDF document text
- https://2386e270-bd20-42c1-b3e5-1ba7eaa1d68d.filesusr.com/ugd/b4f0c6_787cb936cbc24069b54a9dfd0cee3fc4.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/8d3cadc3-fa02-440a-85a4-26f59dd10ac9/korean_made_easy_for_beginners_audio.pdfIn PDF document text
- https://357b8bef-7330-4cfe-b31d-389db25c4d5a.filesusr.com/ugd/4c76bf_2a3166764de542a882df4326ffbb84cd.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c8e5c5aa-32c2-422b-835e-24a2667bbe08/singer_quantum_stylist_9960_instruction_video.pdfIn PDF document text
- https://s3.amazonaws.com/lebejos/30302046640.pdfIn PDF document text
- https://s3.amazonaws.com/zoluwivebiro/titozewasafirevozu.pdfIn PDF document text
- https://d848e4b6-662b-4424-a759-963270729452.filesusr.com/ugd/30e015_7b98e8786b6d474382d44942d65d54d1.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/mutirexa/university_of_balochistan_ba_date_sheet_2019.pdfIn PDF document text
- https://96a604d4-6f4e-42dc-90fb-b802e1cf4ed0.filesusr.com/ugd/6ef60c_b083e92a21224332a6ddc63a5992964a.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010bc1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10BC1 | 5024 bytes |
SHA-256: cfa2fe8c85c1ae79c41e021fca0654c255395b587c7f50abd053cd5410e62c29 |
|||
font_01_sfnt_off00011ce3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11CE3 | 10728 bytes |
SHA-256: ecd3b0c423d633b8449c2916c988fc82e0ed2e8edb656867abef2ff5d0573422 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.