MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains an embedded script and a large number of external links, many of which are likely part of a link farm designed to obscure malicious activity. The embedded script, identified as JavaScript, likely attempts to download and execute a second-stage payload from one of the provided URLs. The ClamAV detection further confirms the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/award?keyword=jquery+ajax+download+file+pdf PDF link annotation
- https://cdn.sqhk.co/fowurona/ghQ3jx0/art_puzzle_live_jigsaw_coloring_page.pdfIn PDF document text
- https://cdn.sqhk.co/lirerafi/nifhfQL/snapped_meaning_in_english.pdfIn PDF document text
- https://cdn.sqhk.co/rosisole/Yifvje8/15567352960.pdfIn PDF document text
- https://cdn.sqhk.co/mipijotom/gdibAij/latrunculin_a_treatment.pdfIn PDF document text
- https://cdn.sqhk.co/sifajoxojif/jgjbhhQ/tuning_forks_for_healing_australia.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/a7143579-dd23-4d21-a097-be3e8de40b50/49616630937.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/94b1cd52-eb5d-4d87-b58a-7d0c73d38261/97142866291.pdfIn PDF document text
- https://104e0e48-a4c2-4a03-8647-06ef64d4e6ac.filesusr.com/ugd/e2c6c1_4f34222063a54e31b32824135e9d25c2.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d075a5bb-1dd0-438a-b0a0-1c6a71384008/what_common_plants_are_edible.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a9e4ff41-fbb7-4be7-8018-fad5ac6c50af/the_vampire_diaries_book_series_reading_order.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5a7acd44-85cb-49e7-98c4-8aa735dea921/ruvotaz.pdfIn PDF document text
- https://31c8a3d4-0132-49f1-a04f-09c79d03e01f.filesusr.com/ugd/a4da84_97086154735546d9988056ede754b16e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a205becf-d501-45aa-bf88-a4e93120135a/italian_short_stories_for_beginners.pdfIn PDF document text
- https://s3.amazonaws.com/jozaponi/digivasavib.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/599f6e7b-3263-4130-b012-4a70ec73f9ee/gendered_lives_communication_gender_and_culture_11th_edition.pdfIn PDF document text
- https://s3.amazonaws.com/sobaketemu/nizivulavarazode.pdfIn PDF document text
- https://s3.amazonaws.com/vifusupegiza/ffbe_guide_for_beginners.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1ccccada-64c2-4581-9cc1-00d6e837e1ad/vurazo.pdfIn PDF document text
- https://b81f28a7-a6cc-4df9-aebb-a76b708ee4b5.filesusr.com/ugd/df05b2_37dd3b0a4209455784333842332544c8.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/ade6b963-d043-4a36-b517-a63712f92937/48872774499.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_000154e2.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x154E2 | 89278 bytes |
SHA-256: aea0251d3dce1d84c46bd8cecb72b1ca35ba6b346609de10099b3863d34e305f |
|||
|
Detection
ClamAV:
Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%PDF-1.4
1 0 obj
<<
/Title (�� J q u e r y a j a x d o w n l o a d f i l e p d f)
/Creator (�� w k h t m l t o p d f 0 . 1 2 . 5)
/Producer (�� Q t 4 . 8 . 7)
/CreationDate (D:20210407035730+03'00')
>>
endobj
3 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
4 0 obj
[/Pattern /DeviceRGB]
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 7 0 R
/Filter /DCTDecode
>>
stream
���� JFIF K K �� C
�� C �� � q " ��
�� � } !1A Qa "q 2��� #B�� R��$3br�
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������
�� � w !1 AQ aq "2� B���� #3R� br�
$4�%� &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�������������������������������������������������������������������������� ? ���-�"�XՒK����Q �H��6� =�� ��X| ��� � ��ΕH#�n�ۿ �'�%'��ʲ Nz������5�<a � �6��{q�
��% W ����sR�%��Z����#l �� � 8 �^��h? <5$ ��7 . ��Ǧ�? �u
C���#�F �9�QD�� ۹;��v�z _A�P��N���O� ��-᠄
7h| �y �8�7On����� ��6
�~l5̀ ��ݿ�:WV�Q�߀ �OOc���X�6� �9��v�BeJ)�� Z��| ����� �[�>%9 �;����I� þI M ��
� S����Gp"� ��hc����� ?�
Q� j �M� �� (H�M�m�{� _� u� �ud �� �>�(��=� Ε� xpDž�f eJ�K�G';����t���� >��=� '�)2Y�#
H�Q� �? V�i������ �s � �� �Neb ϔ �~b '���I/��
'�=� �j� �z� ?�Z��D� J�� C �� ���H�
S� �g�_ �Mw3�� � ?��9���� �&ݧ�B��'����a�l �J� � YX��y ����$�_�|���,{#\ � <g?LST�� $�ӐY�L ��E�A8���������$�5�� 1���Wi� H�'�O-J� |8J��h`��}�\ � ����N �1�� 3ԏ� ��� D|�+d ��s�ǿ|� �w��5�
s�є ٪@ ��������}zԟ��?/��y%O�O/�� �����]$d� ;F Kw=y<zSW%���8 k`l�� �AJV�G=q�wÍ�i���c��InG$���=� `�5���H�q�[� &� ����?(�����Q���7 ��� � 1���}��U���� dc��� '�$���I�4sG�'�J��g��r|�I'�%����!�A���i��� ���OO����]+��/#(1��'��8�9�4 �˷ 0�N� � �����J� �z��v9�� xt�
1��83IӟW��c4/�� �8e�`��?�2 ��� w��V8�� 3��2 N}� �+� + W�1=�a��x�+ �� ���9{ς� ���� n �JW�zn�:t �e? |; �4�B�T����p;��� *魀X �nz�y�� �^�� B �w� #8#���E� F��ѿ�O���O���Ȥ.��� �:A�N � � � �x� �/ �
t� �����z�� {8�ֺ��j:��~�9��z` nM)�� �Â@��?�h��>nk�����sV� �:�7�hY ��ne>��$r : ��
���q���yH �^0Mt�F
����y�O� � D�Y��q�����{R�R��WO�� �� �ƣL�H݆3�q�y��� �,� �<���&\����2r1�K��~=�Ve�
2� �מ��H�d6�7` � ����^K���9�
���*�k m� H�
� � �=i �O
� :z4�X����3��������*_�S؞ O#��NP�8� r ��C��O� ��z _�O��.~ x~Y _K 75Ի�����= q����{Á� �`�l�2�Ǿ ���WH�qq�m� $�s��E
�HRA���N1��1�6���?����=1�a��O� g�p; * �
�+ f�X��O/ z�ޣ�7vr UX�b��}� B�X�� �' �{�o����\��o����v9����f5c��'��s)# ���'��L��� �� ��H$ny�� �� �8��3����ojiPdPUB� � q���H� �s�O�� �P��+"�H��'�8�� sH� |:���s tm�L(9� �� �u �P� n ���
F�� �|� �� ��h�,����}�Nm� �pῳ� ��<�7�=�J> �zF� �x�&0<�F���7p?J�����K/!��N 8�{��G��� ��A G ���� ���Ni� �|��Yn �O�#m ���� ��h? |9$�m8�laZy099�/� �� � ; ���@ ��� }ᶸ` � ���P-ow ��տ� vo�� C���i ����c��u�t��9ᵑ���������t;��Ӧ�1�>}�� {� Ӌ�?(R ��m�q��{R�cK�j�e� �yKm�w0�G�D���qڛ �� 2t��q��K��\n� �5� \��+�~�8���Pҁ�� �� �� *: yk��� W9i> xj!�M;�a,ؚP� ����z :t� |?+�}8��$�<�� ��z��+��" � g �3�L���� �L6��(\� /�G�;v"��Z-?�>�y� �� �6��큸f�\��H�=)O�� C.E�� 7 �� �ރ���\JĖ n@�� �g��N��FLHK ' ��� h�A)�s7 � ��r����b4� �H �7 �O��Z�| ��� � �7)�R1� { ���)�c�p�8l� ��O �:(�ؕ9e��Oc�z~ �]%�����w9��wÁ��NeQ���&� �oS�}
0| �ʅ �� �Q��8ݏ�ֺq�%�m��� �3� 1�pq� !� g�9 �]�� ^_ש����q8ۥ���?��_� c��� w�'�� ȈF�d�� � 8�� �~5�4��1 X 8��ǯ� Y����Wc � g��� �2tCN���� ���� ��(��Ҳ 0����!Q�q��u�=��%��#��v_��� �� <���P�!Wm�c�^s� �G�>�� 8�!�\�{�㧯|�Q] :������Ϗ�� W?� ��s/�? ��� 0�4� ��Ϯ �=�l q���s�OC�ӭ �s>�_��x� N� �� ~G4� �; ���$ �O(8�?��Ͻ �w�j
��F wbyI � ��]7�� �Y v� �>� c�, �'�W t�����5m��7� ��C��`�d1� q'< 8 AL? <:�� )�g��q�[��1�u Cq�!� ؞������8� ����M!6�9��A�ɜH4�PF2�H1�q���� ֤_�� 1��8�''�"O���
��Etd�B� �e�$� ���4�4N3& Fz ��c�z~ 0��� �� ��s�? �<� �Au���Ic� ��i��φ�p�b�N�<���'wl� �� H�_� 3��?��^i�y�p� m�3��;q� ;�.-�� �9��?�� �%\3/�%�� {�7� ?�7 �v%̣ �� : ��H�a IN������
... (truncated)
|
|||
font_00_sfnt_off00011375.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11375 | 5308 bytes |
SHA-256: db07f9f669cadd7e30fb69cd9005d07f579041cf735a738f53ea0cdf7e8351c6 |
|||
font_01_sfnt_off000125bc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x125BC | 12256 bytes |
SHA-256: 20456870e95a70361163d7bacb1912254836e1df93aa40921d732765ab035e33 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.