MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, many pointing to disposable domains, suggesting a link farm or phishing operation. The primary malicious URL, 'https://midufefew.ru/strik?utm_term=fiddler+on+the+roof+full+movie+online', is presented as a lure for movie content. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, likely for credential harvesting or malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/strik?utm_term=fiddler+on+the+roof+full+movie+online PDF link annotation
- https://cdn.sqhk.co/wagomito/gjfKjex/73498405058.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425913/normal_60281a44f2bc3.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4473056/normal_5fc67b8a63eae.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459057/normal_602c0e8a2b197.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4453102/normal_60380ca1ec40d.pdfIn PDF document text
- https://cdn.sqhk.co/dejuxafe/6zzihge/pixel_force_left_4_dead_jugar.pdfIn PDF document text
- https://cdn.sqhk.co/vusabutam/Nh3jcCc/xamarin_forms_button_border_radius_android.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4415745/normal_5ff4e43df29ad.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388048/normal_6012d4f8d3618.pdfIn PDF document text
- https://wuzivizafexun.weebly.com/uploads/1/3/1/4/131453021/8274308.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4368777/normal_5fc6a6b09e49b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486035/normal_602a23948d78f.pdfIn PDF document text
- https://cdn.sqhk.co/lonuxogugexi/i7phhZI/sikix.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4487381/normal_6006063999358.pdfIn PDF document text
- https://fupuvoriru.weebly.com/uploads/1/3/4/4/134494751/rodefofelepe_vizibudekize_zapenuw.pdfIn PDF document text
- https://lagomumudalo.weebly.com/uploads/1/3/2/6/132681699/guzisofupefoveg.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/zupenafud/mh_world_decoration_guide.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1d3c2730-45b3-495f-aff8-0ac3522fadf1/xurisalavuwapazapovamev.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/184a6ee7-b1f8-4690-9176-003590982b00/how_do_you_measure_a_huffy_bike_brakes.pdfIn PDF document text
- https://s3.amazonaws.com/wezukep/nixon_sentry_watch_band_replacement.pdfIn PDF document text
- https://s3.amazonaws.com/poguvelefa/radiation_protection_in_medical_radiography_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/11c97912-8c65-41cb-ac92-d0008a8b9afc/zasukexerepur.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00016190.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16190 | 4772 bytes |
SHA-256: ae7456faf2bdc9e5a25a02809836cbf6ae4aed1d9371c19a91850eaa32be68a8 |
|||
font_01_sfnt_off000171a3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x171A3 | 2980 bytes |
SHA-256: 68dc9f05d1d80ad1023a2bcd920294d9d7f1fe623bc747bd69036edb33c7d6da |
|||
font_02_sfnt_off00017dec.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17DEC | 18984 bytes |
SHA-256: c40432c760f2f6345d7467fdea8bd39528ed0c673137235532b947293329edea |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.