MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was identified as malicious by ML classifiers and ClamAV, indicating a phishing or spam distribution attempt. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially harmful content. The document body, though partially corrupted, suggests a lure related to using a smoker, which is likely a pretext to disguise the malicious intent of the embedded links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/aws?utm_term=how+to+use+expert+grill+charcoal+water+smoker PDF link annotation
- https://static.s123-cdn-static.com/uploads/4384645/normal_6005ae55b3d27.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4385010/normal_60417f216cb70.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4402951/normal_603657fd468e2.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4497658/normal_5ff9a54e0e2bb.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4419437/normal_5fecc94c6362e.pdfIn PDF document text
- http://kuroramogesok.iblogger.org/lutopotuvujagisuvipejevez.pdfIn PDF document text
- https://toxedozopofezi.weebly.com/uploads/1/3/1/4/131453782/c84045899.pdfIn PDF document text
- https://mozipode.weebly.com/uploads/1/3/1/4/131437967/kolubasisikal.pdfIn PDF document text
- https://zikowetaxubof.weebly.com/uploads/1/3/4/0/134012945/puzorozomabesif-vubedis.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4421039/normal_5ff685c0b311a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4479441/normal_601d7d127c148.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446497/normal_6014db1b6c700.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4419195/normal_5fe742afa6e6e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4462374/normal_6043fa102f482.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/f9c18c47-fd10-4d7c-9ab8-77a1d091920b/english_pronunciation_made_simple_audio_cds_4.pdfIn PDF document text
- http://wirodugapilab.epizy.com/how_to_find_slope_from_two_points_equation.pdfIn PDF document text
- https://4cd5eafb-d261-4666-a528-29b55b1676c1.filesusr.com/ugd/8dde66_e27736ef1a4648ef9b78b556b541b8fe.pdf?index=trueIn PDF document text
- http://duzixaludu.rf.gd/65496882973.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2e249175-be41-42c3-8c58-1277f2652731/zugagozobetuzufuxoninufup.pdfIn PDF document text
- https://bad3f395-1638-4667-b349-d6f934eeab49.filesusr.com/ugd/ed2d23_228e6e7f8ab9489e8b113c652c5a2ab2.pdf?index=trueIn PDF document text
- http://lobobeges.epizy.com/billing_rate_inkindo_2020_download.pdfIn PDF document text
- https://d064ede3-316f-4d13-8ec5-014b2136b3bd.filesusr.com/ugd/154db6_1a133c3716074aaeb0df4ec3bda2f0b8.pdf?index=trueIn PDF document text
- http://mafasegu.epizy.com/80412480834.pdfIn PDF document text
- https://33b7cf8b-1cb2-46d9-9063-17e97cba5e80.filesusr.com/ugd/9edd50_2d5a4c6283ac48c4872abd39176ef847.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ecc0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECC0 | 5532 bytes |
SHA-256: 753c7982c0f40763e818d028644dfee760fcc4fc52a6e55d37e600ec9309bdfb |
|||
font_01_sfnt_off0000ff76.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFF76 | 10744 bytes |
SHA-256: 4577140ffd4cdf468240d35ac217e1c9ded2c490abce82743f645f28dff4dd91 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.