MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing operation. One prominent URL, https://ponafet.ru/strik?utm_term=vivid+verbs+worksheet+4th+grade, is directly embedded and likely serves as a primary lure. While no scripts were explicitly extracted, the PDF structure and extensive link farm are strong indicators of a malicious document designed to redirect users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/strik?utm_term=vivid+verbs+worksheet+4th+grade
- https://cdn-cms.f-static.net/uploads/4393349/normal_601b438f563ac.pdf
- https://cdn.sqhk.co/diwiporeb/hhagfgi/weekend_flights_to_amsterdam.pdf
- https://cdn-cms.f-static.net/uploads/4406170/normal_60220ff1b8d3c.pdf
- https://cdn.sqhk.co/baxijaxazixi/cijhcLa/puzzle_bobble_arcade_online.pdf
- https://cdn.sqhk.co/xeduwukaxusa/hbgeicP/e_bikes_for_sale_used.pdf
- https://static.s123-cdn-static.com/uploads/4412894/normal_5fce01597e098.pdf
- https://cdn.sqhk.co/luwiliziv/5iahdja/ecmo_guidelines_2018.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://c3373aeb-ed74-4f2d-b631-fa679e0a3f6f.filesusr.com/ugd/cbe7f7_73cdd32eb0ed4b5ca1fcf408f62f740e.pdf?index=true
- https://0c6b7a74-1ca0-41da-943c-c268a208a416.filesusr.com/ugd/fef373_e7a8e08351a24a69aeb8c52106fe9f53.pdf?index=true
- https://46c19374-600d-43be-a5f2-d8bf07c6fddf.filesusr.com/ugd/cc94a4_587be0effe344c238cb27bc13b6ff528.pdf?index=true
- https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_c06ec265ef97459a9e29f195850fddfc.pdf?index=true
- https://3485775d-af35-4505-8fb4-f6750f575e04.filesusr.com/ugd/42f18e_9f4fc388d560404ab0a9ff044268486b.pdf?index=true
- https://5f98d79b-b704-4ecc-a618-200e52db7f79.filesusr.com/ugd/d1a5b7_601dc27c4d6f4420bb69fb71d8458eca.pdf?index=true
- https://0f285ee0-1b14-49a2-8a3e-060a2db94812.filesusr.com/ugd/4bf67f_a35cf161c6084ecb8b2f377893e10c3d.pdf?index=true
- https://83d7d1d1-3661-4158-a2cc-78aa4aa39d08.filesusr.com/ugd/163759_c47649d9893d4d619c332d41673fe15d.pdf?index=true
- https://d6504552-49b0-4b7d-b1ff-94f9e1082b83.filesusr.com/ugd/1f0558_18129a86fe93499fa259993d08b482af.pdf?index=true
- https://s3.amazonaws.com/firigugixujotov/swot_analysis_worksheet_for_students.pdf
- https://65d0a56f-4074-4e8f-9acc-29e6f8e8f663.filesusr.com/ugd/37655d_4ec3650b727243c19d9f4755da128791.pdf?index=true
- https://s3.amazonaws.com/daraniwekamidir/dsc_pk5501_manual_espaol.pdf
- https://s3.amazonaws.com/xomudufe/gotogawifedafibe.pdf
- https://s3.amazonaws.com/tugumeb/jusumexokilorinoroxagume.pdf
- https://c3438639-6a75-4920-aa4f-d1e0b619354f.filesusr.com/ugd/3be3a7_e4f6bd224c4d43ee817ba34849bab76f.pdf?index=true
- https://a529afa0-707c-494d-9cee-e9df2360aa12.filesusr.com/ugd/a6e48a_21e6623fb8b54387ad4886dd6e895d8d.pdf?index=true
- http://www.readwritethink.org/classroom-resources/lesson-plans/more-than-create-vivid-1008.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ec69.bin7fca871b30e08905b568f3bd804c1392faa5746a065126e139b220b789c12199 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEC69 | 5148 bytes |
font_01_sfnt_off0000fe14.binfde3c1536fe73941f1b52a4f3ed38392da6a2c4867435438b990c39d0ea22897 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE14 | 11040 bytes |
font_02_sfnt_off00012365.bin1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12365 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.