MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, many pointing to redirectors and SEO link farms, indicating a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' point towards a strategy of overwhelming the user with links, likely to compromise their security.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/strik?utm_term=2006+honda+odyssey+transmission+fluid+filter PDF link annotation
- https://cdn.sqhk.co/zarepowake/lojgohc/sojusenojez.pdfIn PDF document text
- https://cdn.sqhk.co/pozuwifofub/5DWBAgg/picture_quizzes_with_answers_uk.pdfIn PDF document text
- http://trafikcezaodebayisi.com/41910512213dm945.pdfIn PDF document text
- https://cdn.sqhk.co/naxudufejik/obMihoP/aankhon_ke_sagar_song.pdfIn PDF document text
- http://gmetry.online/which_is_better_beats_studio_3_or_solo_pro0tu8z.pdfIn PDF document text
- http://claire-irk.ru/is_carbon_monoxide_acidic_basic_or_neutralvi8ih.pdfIn PDF document text
- http://gtomishebs.xyz/what_is_good_at_chick_fil_atmpg0.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://s3.amazonaws.com/siwixomudit/boyfriend_application_quotes.pdfIn PDF document text
- https://44bb6ee8-a0fe-4f72-890f-0f0a2fec05cf.filesusr.com/ugd/b65acf_c5ec8fbec65c4710989dfe9d3514fd9f.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/wewiro/mazew.pdfIn PDF document text
- https://s3.amazonaws.com/jebokizez/certificato_di_conformit_laurea_medicina.pdfIn PDF document text
- https://s3.amazonaws.com/nojemi/koredilarasowame.pdfIn PDF document text
- https://s3.amazonaws.com/jinabom/lagu_kartonyono_medot_janji_dj_koplo.pdfIn PDF document text
- https://3f9320ff-391d-49df-b192-c557e211a93c.filesusr.com/ugd/469aea_192937f2c3004bd3add04ef4188311d8.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/medaliwifufugel/episcopal_eucharistic_minister_guidelines.pdfIn PDF document text
- https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_6ce4e7e270b44293a4702a2ccc072f2b.pdf?index=trueIn PDF document text
- https://8aa13d94-a051-4bfa-911d-5e7c2f772018.filesusr.com/ugd/382cc4_d6077da42a5241e19070851d55deb592.pdf?index=trueIn PDF document text
- https://3491c55f-27e3-40bb-839b-e55f5d2a6f06.filesusr.com/ugd/d14465_94981beb82dd44389254e434be261660.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/votubukaxogilix/dunkin_donuts_promo_code_grubhub.pdfIn PDF document text
- https://s3.amazonaws.com/donukadizolin/80205207321.pdfIn PDF document text
- https://4de1274e-a26b-4e71-a0d1-d86f0cfee7ee.filesusr.com/ugd/ee4d88_4a8c9b5d2e27435bada6310e57258358.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e488.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE488 | 5464 bytes |
SHA-256: e5ce4004378be5718693c00033507cfd7ee013022bce11f224adef227fa843af |
|||
font_01_sfnt_off0000f6dc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF6DC | 11008 bytes |
SHA-256: 36bc84c3bcd5a3898d50a2ffec59862ac07a5479aa84326f9fb1604f884dda25 |
|||
font_02_sfnt_off00011bbb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11BBB | 4324 bytes |
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.