MALICIOUS
246
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious sites. Heuristics indicate a lure for installing browser extensions or updates, a common tactic for credential theft or malware delivery. The ML classifier and ClamAV detection strongly indicate malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
QR-code redirect lure medium SE_QR_LUREDocument instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/123?utm_term=usb+browser+free++for+mobile PDF link annotation
- https://toguxiwo.weebly.com/uploads/1/3/4/6/134645105/xenunejitineru_kexon_nugumepu.pdfIn PDF document text
- https://degulula.weebly.com/uploads/1/3/1/0/131070998/sasuvosavozi_pabitojawaxiti_bapupowiwojari.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4456728/normal_5fceb188269e2.pdfIn PDF document text
- https://varozuwibudod.weebly.com/uploads/1/3/4/3/134327914/f0c54.pdfIn PDF document text
- https://govumubi.weebly.com/uploads/1/3/4/3/134349805/sonekuvaxeza.pdfIn PDF document text
- https://mubaxuru.weebly.com/uploads/1/3/4/6/134693734/toxipexoma.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446499/normal_604ae00e523be.pdfIn PDF document text
- https://wofarugufi.weebly.com/uploads/1/3/4/6/134657174/7792703.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/4f960cf4-286d-427d-a943-23b415987e88/what_skills_and_competencies_do_successful_manager_possess.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/de2d5c4b-285e-4c1f-9d2b-24dfa3203534/11757464281.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/27c8cd75-c9fc-4f28-b5c2-4ee789013bc6/65691544782.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/49805fef-5d5a-4f70-8513-9321e74ee14e/23138771173.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d73f498a-7686-4d22-a184-461128b28568/mind_diet_appetizers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/17572d5a-a6cf-4643-a9b2-46dec9393f82/89914784315.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/384fde9f-2188-4e55-98a1-bd2b8af310e7/how_to_read_big_numbers_in_english.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/594f5e33-2351-48ed-bb07-e4a555fae4c5/line_6_spider_valve_mkii_hd100_problems.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4ffe77d1-a917-47bb-a3aa-4df559458abc/sakem.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cc04954a-f0f2-4d79-a0e4-2a7fa0788d6c/boxawopasedenegibagusole.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/17c4c30e-b3ba-4b5c-b644-786d6bf176fb/dudurujarekoti.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011a07.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A07 | 4924 bytes |
SHA-256: 5af177dd62174dfd9a92b0bbff787fda1479763e41866d02ebd8151f0b546498 |
|||
font_01_sfnt_off00012aca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12ACA | 13316 bytes |
SHA-256: 2d0305b665b84e1767776ff2da5b7fb37da03ec12dcfde4a0a75cc1743388f0d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.