MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses brand-impersonation credential phishing. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://gufogirim.weebly.com/uploads/1/3/5/9/135967500/3781169.pdf.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/award?keyword=as+400+system+administration+pdf PDF link annotation
- http://songkfrk.site/how_bad_can_i_be_roblox_idxzjb9.pdfIn PDF document text
- https://gufogirim.weebly.com/uploads/1/3/5/9/135967500/3781169.pdfIn PDF document text
- https://bogekivusuwi.weebly.com/uploads/1/3/4/6/134604255/823ab.pdfIn PDF document text
- http://moreprodukti.com/61813842572u9xa9.pdfIn PDF document text
- http://itasda.online/5808768344gsdxm.pdfIn PDF document text
- http://makamar.tech/radio_javan_app_for_android_4174b4.pdfIn PDF document text
- http://insta-sale.site/mystic_messenger_jumin_endings_guideu4hqy.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://japaduvovudaku.rf.gd/talathi_bharti_2019_online_form_maharashtra.pdfIn PDF document text
- https://s3.amazonaws.com/fixararololu/mathematical_excursions_aufmann.pdfIn PDF document text
- https://s3.amazonaws.com/besafefaf/does_ihop_give_you_a_free_meal_on_your_birthday.pdfIn PDF document text
- https://s3.amazonaws.com/dotivaf/65714074085.pdfIn PDF document text
- https://s3.amazonaws.com/bulalowisu/bafuj.pdfIn PDF document text
- https://s3.amazonaws.com/xupimaral/pobre_ana_summary_chapter_7.pdfIn PDF document text
- https://s3.amazonaws.com/voropa/15658545606.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eef9e64a-ac66-4be1-b02f-ca08329026d6/52121778955.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/22638893-ddc8-421e-a1c1-d219eb4268f4/m-audio_keystation_pro_88_price.pdfIn PDF document text
- http://dinopug.epizy.com/el_marques_de_sade_libros_gratis.pdfIn PDF document text
- https://s3.amazonaws.com/tipikaxe/febipam.pdfIn PDF document text
- http://zilajib.epizy.com/40983215920.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/552f09bc-a242-4ac6-a71f-05be5e8d5824/96582469120.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d04e6514-052d-47a7-9f2f-f0bb9518f2c9/lazomaguti.pdfIn PDF document text
- https://s3.amazonaws.com/kesumasaka/ejercicios_de_limites_al_infinito.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4495270f-918b-469d-9c21-024e6cb8f28f/how_much_to_study_for_usmle_step_1.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe27.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE27 | 5476 bytes |
SHA-256: c8e60db3c3c3ae46d6937785e035318f68d1b05932cd961bba1873be2780c8d7 |
|||
font_01_sfnt_off000110be.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110BE | 10200 bytes |
SHA-256: fc41b9f350049b6e85be3f7f6d3f7e6b227c80b07e73726b7677ac7db42585ae |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.