MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
T1059.007 JavaScript
This PDF document exhibits characteristics of a phishing or malware distribution lure. It contains numerous external links, many pointing to disposable hosting, and includes a social engineering tactic to prompt the user to install a browser extension or update. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to credential theft or further payload delivery via the embedded links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://huntic.ru/pbw?utm_term=can+teachers+see+if+you+cheat+on+edgenuity PDF link annotation
- https://cdn-cms.f-static.net/uploads/4388427/normal_601590036dc2b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4377403/normal_5fe3e32999e51.pdfIn PDF document text
- https://xavupavise.weebly.com/uploads/1/3/4/5/134584264/bb7c69d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383798/normal_6032cd757b71f.pdfIn PDF document text
- https://jilanuma.weebly.com/uploads/1/3/4/5/134522828/8670832.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4413228/normal_5fed7ec5b9dee.pdfIn PDF document text
- https://rogetaguw.weebly.com/uploads/1/3/1/4/131407632/dodolamidolunemif.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/e8c4ce74-3c28-4305-a31a-ab8d3048dc46/71514014187.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/244653d8-a24d-4550-a310-b391f822a759/xaloxedigir.pdfIn PDF document text
- http://joraxakegeg.pbworks.com/f/tejipitebav.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97b1f13f-af44-4d34-a28b-c015229e747e/the_book_of_the_damned_by_charles_fort.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/67925d22-c1cd-4522-b1a4-842304fa4fcb/what_is_concept_mapping_in_social_studies.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b23ee4b-5e5c-484d-ae37-65ed908c7538/what_are_some_false_gods_that_tempt_us_today.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aecd3161-57cb-4bac-8542-32084fd30d67/what_is_the_difference_between_descriptive_statistics_and_inferential.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/74bdcfe3-625d-4c0a-9544-2f048bc27639/45889640361.pdfIn PDF document text
- http://tozuxexap.pbworks.com/f/how_to_pair_jbl_flip_4_to_iphone.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b8876caa-86d1-4d0b-8b6b-802dc809d885/46273643009.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1fda379e-9173-49cb-b104-055fb3b2b0ac/crocheting_beanies_for_beginners.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8de09899-e94c-4b37-8510-e4e928930526/youtube_poker_run_2020.pdfIn PDF document text
- http://pezeliv.pbworks.com/f/how_to_use_a_prepaid_electricity_meter.pdfIn PDF document text
- http://xedidovetaw.pbworks.com/w/file/fetch/144412794/can_a_man_build_muscle_after_40.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e452017e-5776-4fd7-8a72-8b2015b10f4d/28629916324.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/542e10d0-a3f1-4ba9-83df-49fdc6dced0a/sawokavun.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/23cd8b11-43d6-4b72-bf86-31960df9f2e5/wuxurazuluvaloluna.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000febf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFEBF | 5260 bytes |
SHA-256: 749eccb42deefbd33910dffa98ef6bd2790c45b47ad1488f17731d07ed99917c |
|||
font_01_sfnt_off000110a1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110A1 | 11120 bytes |
SHA-256: 319eb08f86d265bdf9dec8f97a8a8b33ca9d12f1c9c6d8cdd94a75f3794ea525 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.