MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple external URIs and is flagged as a link farm on disposable hosting, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to trick users into downloading a second-stage payload or visiting a phishing site. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/aws?utm_term=amsco+apush+2015+pdf+download PDF link annotation
- https://cdn.sqhk.co/xekejegixawo/hiHjfbj/xmeye_app_para_pc.pdfIn PDF document text
- https://cdn.sqhk.co/lepavenujal/72ighj4/gesebexafosudeju.pdfIn PDF document text
- https://cdn.sqhk.co/jagapifa/iiOZHge/animal_cat_ringtone_download.pdfIn PDF document text
- http://finutepanaj.iblogger.org/frigidaire_50_pint_dehumidifier_review.pdfIn PDF document text
- https://cdn.sqhk.co/gotofebelu/2jhjdgi/twitter_clear_login_notifications.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/a94b314f-73aa-4576-ac2e-64977043a66f/integral_calculus_meaning_in_tamil.pdfIn PDF document text
- http://xixepobubin.epizy.com/27602473301.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5a75a120-57a0-42fd-8710-788f66751bc3/befisebesin.pdfIn PDF document text
- http://jirulesonena.rf.gd/namugowunezok.pdfIn PDF document text
- http://wogomud.epizy.com/sandisk_clip_sport_firmware_upgrade.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/96b49a42-6f61-4c0d-9eea-36bcda986030/9892165814.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a97d4019-b22a-47af-a1de-24395aa0dbf4/38947540234.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/81c997c3-0319-4d6a-b3a9-fee157af73cc/plc_programming_training_center_in_chennai.pdfIn PDF document text
- http://lujufidopugola.rf.gd/budokugowufotifibiwari.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a7a71c65-fb1b-4de9-8a0e-e40142fe2f9e/42811352871.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ecc60212-88b9-4cc1-9d24-9cd78edb1e8f/lexokabimezuvijorofav.pdfIn PDF document text
- http://jevusavisa.epizy.com/asos_buty_na_platformie.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c52baa1-8d01-45f5-a4d0-909429112dd8/67250680905.pdfIn PDF document text
- http://kevulapoxokimif.rf.gd/baxufibovijuwibiked.pdfIn PDF document text
- https://s3.amazonaws.com/duzexefemosaxe/43310985996.pdfIn PDF document text
- https://s3.amazonaws.com/rebomedug/vofeniwiniwow.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000101b7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x101B7 | 5832 bytes |
SHA-256: 2be72bd3f8c9a03ed382e66a7fe6ca84759aa109db87d633e22f64af8f712af0 |
|||
font_01_sfnt_off00011594.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11594 | 16600 bytes |
SHA-256: 9c5042a75cb49d6caee3b4fcdb7b3115ebf10aa947a74b5aebaf3bdb5b93ee44 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.