MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was identified as malicious by ML classifiers and ClamAV, flagging it as a phishing trojan. It contains a large number of external links, many pointing to disposable hosting, suggesting it functions as a link farm. The primary purpose appears to be directing users to potentially malicious external sites, likely for phishing or to download further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/123?utm_term=audyssey+multeq+xt32+vs+manual PDF link annotation
- https://cdn-cms.f-static.net/uploads/4445866/normal_601ad4bf462f7.pdfIn PDF document text
- http://gopidap.scienceontheweb.net/zidekunewowok.pdfIn PDF document text
- http://mobeditobaxul.scienceontheweb.net/71614238631.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4478146/normal_5fe7b5780b9d5.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476294/normal_5fe1d291811df.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4371523/normal_5ffcd19024224.pdfIn PDF document text
- http://wegoradubi.sportsontheweb.net/kovuwixugenagugas.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4420934/normal_5ff0cd0ba0d91.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4369646/normal_5fc7477feb9a6.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://1e2e1d2f-e5bc-406e-8ade-c93a3c5db6fe.filesusr.com/ugd/81c7be_aa07a8580d894e1e97cccb23f169fe93.pdf?index=trueIn PDF document text
- https://2d130471-2a64-48ba-87cf-8f1e86c6acad.filesusr.com/ugd/9c43ec_0bde7f055980459d8cc7481696cdf691.pdf?index=trueIn PDF document text
- https://cd753cf5-d90a-4073-9c55-931a76e81761.filesusr.com/ugd/8826df_4eb7cec43b3b41dbb5ee7a3a2ec790c6.pdf?index=trueIn PDF document text
- https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_52828078f65042799f2c4aec35ff60ef.pdf?index=trueIn PDF document text
- http://rixigor.onlinewebshop.net/87862506693.pdfIn PDF document text
- http://lugubukegi.epizy.com/dafagusukuwilike.pdfIn PDF document text
- https://9e6c4f0b-3406-4274-bf8a-5be7f948d240.filesusr.com/ugd/45c6ff_8cbd773018b64a36906eaad51a81648a.pdf?index=trueIn PDF document text
- https://ae0ecf71-49bb-4ac4-bba4-d0f2a20d1af9.filesusr.com/ugd/668a47_c1f85e11463943c5ab87daad5704f2f6.pdf?index=trueIn PDF document text
- https://2ac56fc1-f7ee-4366-9cb2-1681469c68ee.filesusr.com/ugd/b914b5_a55e06d4efcc4ad281cf2f0596f4d4fc.pdf?index=trueIn PDF document text
- http://luxixeg.epizy.com/9636378792.pdfIn PDF document text
- https://4253c66a-660d-4c83-b31d-f715833d547b.filesusr.com/ugd/d9e9a0_9fb4f55fa28348faa072e49dd8ea53da.pdf?index=trueIn PDF document text
- http://xemunebo.atwebpages.com/kenmore_sewing_machine_parts_manual.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010aa1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10AA1 | 5516 bytes |
SHA-256: 0d655f6934fd9bd97d7de47cb45b667b562b45f0415debc57e0945e6665ee827 |
|||
font_01_sfnt_off00011d5c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11D5C | 11932 bytes |
SHA-256: fcdc2af6cf42200129feeaedec98607a52995e8dd1bbce67c8352815f64d0f75 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.