MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which are to other PDFs, suggesting a link farm or SEO manipulation tactic. The primary external URI points to a suspicious domain, likely intended to host malicious content or phishing pages. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/strik?utm_term=constant+velocity+particle+model+worksheet+4+answers
- https://static.s123-cdn-static.com/uploads/4390383/normal_5fc6cf3c1e373.pdf
- https://putigored.weebly.com/uploads/1/3/0/7/130738503/3814deb0.pdf
- https://bivufinemena.weebly.com/uploads/1/3/1/3/131380184/678bf.pdf
- https://wofiwajelakezod.weebly.com/uploads/1/3/6/0/136092853/fusosox.pdf
- https://cdn-cms.f-static.net/uploads/4481058/normal_600f3e777e372.pdf
- https://kevefizi.weebly.com/uploads/1/3/1/8/131871405/307390.pdf
- https://tanoviruxejalun.weebly.com/uploads/1/3/0/7/130775892/karinunotuxedajuroj.pdf
- https://bevizopet.weebly.com/uploads/1/3/0/7/130776142/4311280.pdf
- https://terokusaf.weebly.com/uploads/1/3/5/3/135347070/xesimo.pdf
- https://zefemebok.weebly.com/uploads/1/3/0/7/130775969/1b37bd78739a.pdf
- https://dakubotamijez.weebly.com/uploads/1/3/2/7/132712147/nelikut.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/dufekifaral/formal_dress_stores_in_perth.pdf
- https://s3.amazonaws.com/sazariwapa/unsure_synonym_formal.pdf
- https://s3.amazonaws.com/toliwudalamem/zuletab.pdf
- https://s3.amazonaws.com/vinivuxo/driver_bematech_mp-_4000_th_fi.pdf
- https://s3.amazonaws.com/xasovewipeje/97091060422.pdf
- https://s3.amazonaws.com/nuxulikiwab/duzegepezed.pdf
- https://s3.amazonaws.com/zesixefe/lisivo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f2ea.binaeb2b8a35c52c3f26d1fa9e729c39442e897d9ea2f4d3b3e068904edc662118f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF2EA | 5624 bytes |
font_01_sfnt_off000105fe.bine4406b1db21671749f2fdb0e0f427f978e448871b90523b1475d23cec46f4483 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105FE | 10036 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.