MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF document employs a social engineering lure, instructing the user to install a browser extension or update, which is a common tactic for credential theft or malware installation. The presence of numerous external links, many hosted on disposable domains, suggests a link farm designed to redirect users to malicious sites. ClamAV detection and ML classification further confirm its malicious nature, likely involving phishing or trojan delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/strik?utm_term=what+did+charles+lyell+discover PDF link annotation
- https://cdn.sqhk.co/rovifatira/igjdeiy/financial_times_investment_in_ukraine.pdfIn PDF document text
- http://stavki-na-sport.site/the_secret_sharer_joseph_conrad4ttm4.pdfIn PDF document text
- https://cdn.sqhk.co/liwewajawab/hghjghj/goblin_character_sheet_5e.pdfIn PDF document text
- http://proita.space/59401111273ibgw0.pdfIn PDF document text
- https://cdn.sqhk.co/xovikojux/yjfgdd5/80543637443.pdfIn PDF document text
- http://swiss-gear.store/melomulupavedusobefutsjj6g.pdfIn PDF document text
- https://cdn.sqhk.co/veladaxuzeba/ggjix95/prison_break_escape_room_near_me.pdfIn PDF document text
- http://kittyplay.online/geteb7jqam.pdfIn PDF document text
- http://samo-katim.ru/25943797840yuz7l.pdfIn PDF document text
- https://cdn.sqhk.co/dunokufimove/imNjb8J/paziserobiguvimezakazuj.pdfIn PDF document text
- https://cdn.sqhk.co/gepeduvo/Fie1hbL/kawerukasuwunozuxibitala.pdfIn PDF document text
- https://cdn.sqhk.co/zinumazak/bhj8mhf/60573940447.pdfIn PDF document text
- https://cdn.sqhk.co/joxesinejag/s75jf8L/84207720260.pdfIn PDF document text
- https://cdn.sqhk.co/fudamozomeb/b1zjig8/elements_of_carbohydrates_lipids_proteins_and_nucleic_acids.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/jozetej/tobibevuz.pdfIn PDF document text
- https://s3.amazonaws.com/wamatasamegu/pixekodiniwan.pdfIn PDF document text
- https://s3.amazonaws.com/kukazowox/20213480053.pdfIn PDF document text
- https://s3.amazonaws.com/wetowuzuxit/forgotten_realms_books.pdfIn PDF document text
- https://9eff4bf0-55a5-42b9-a65a-250f23c32afd.filesusr.com/ugd/80978b_c902597a44254708bbf169cffb8ae6d7.pdf?index=trueIn PDF document text
- https://67d298e0-85f4-4ad4-bf36-e1ac857e42fc.filesusr.com/ugd/b6bf5b_67ef0ec813014db7b51987b4e0f67595.pdf?index=trueIn PDF document text
- https://bdc3fad0-85dd-4e34-85f7-620d54d4ff6f.filesusr.com/ugd/10cedf_926df82057e44adf8f0c64c5bb7a4bf6.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000115a8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x115A8 | 5200 bytes |
SHA-256: 65987d1c627f80125061e69059231e35511ce4cc3b41e3db42075c340e7948fb |
|||
font_01_sfnt_off00012768.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12768 | 11656 bytes |
SHA-256: fe7fc7d16a61d60cd9d41377597814d9afd76a65c47b9bfbd2cc3f6e528d35da |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.