MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF document contains a large number of external links, many of which point to disposable hosting services, indicating a link farm designed to redirect users. The primary URL, 'https://ketchas.ru/pbw?utm_term=how+to+fix+a+broken+underground+dog+fence', is presented as a guide but likely serves as a lure to a phishing or malware distribution site. The ClamAV detection and ML classifier further support its malicious nature.
Machine Learning
- Nyx PDF Classifier malicious score 0.9571
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ketchas.ru/pbw?utm_term=how+to+fix+a+broken+underground+dog+fence
- https://static.s123-cdn-static.com/uploads/4428083/normal_5fd092ac0d985.pdf
- https://rowimunikak.weebly.com/uploads/1/3/5/3/135346477/dce7a956d838bd8.pdf
- https://gogafijunovox.weebly.com/uploads/1/3/4/3/134322332/e3e6656978cc36.pdf
- https://zisafidavilux.weebly.com/uploads/1/3/2/8/132814196/5574536.pdf
- https://static.s123-cdn-static.com/uploads/4414680/normal_5fc85690f1fcf.pdf
- https://zugatesek.weebly.com/uploads/1/3/6/0/136082504/pavipemekixafi-gaxotixavolanu.pdf
- https://varusotefus.weebly.com/uploads/1/3/1/3/131398431/6899548.pdf
- https://dineretisa.weebly.com/uploads/1/3/4/7/134709889/795ad6.pdf
- https://xibemorebag.weebly.com/uploads/1/3/4/3/134355918/sekibevarefo_pizitititupinev_vizono.pdf
- https://regifedemez.weebly.com/uploads/1/3/1/4/131406591/lotegimufaxefupet.pdf
- https://rivoliga.weebly.com/uploads/1/3/5/3/135311175/1294081.pdf
- https://pixabetamomu.weebly.com/uploads/1/3/1/0/131070001/jilunidibeb.pdf
- http://ririgifavem.pbworks.com/w/file/fetch/144594699/what_are_the_roles_and_responsibilities_of_a_government_accountant.pdf
- https://uploads.strikinglycdn.com/files/a64ec641-0bdd-49fd-8f68-542d9c8e6e54/oily_hair_shampoo_solutions.pdf
- http://risuxujuvu.pbworks.com/f/gasorijagag.pdf
- http://mujefapufefi.pbworks.com/f/50768914719.pdf
- http://zajozote.pbworks.com/w/file/fetch/144447504/75177413408.pdf
- https://uploads.strikinglycdn.com/files/e4fcec28-b04f-4eb9-87e5-ec7d2485c721/insidious_3_full_movie_in_hindi_download_filmywap.pdf
- http://fubajulak.pbworks.com/f/dotodijozovopuviveze.pdf
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d808.bind8b907802410e675ceca2784509e58a9dae2947c1b2ad43e3e0c02687eabed47 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD808 | 2952 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.