MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF file contains heuristics indicating it's a phishing attempt and a link farm, with a critical ClamAV detection for a phishing trojan. The 'SE_CLICKFIX' heuristic suggests the document instructs users to run commands, a common social engineering tactic. The embedded URL points to a suspicious domain, likely serving as a download source for a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://midufefew.ru/strik?utm_term=tp+link+range+extender+access+point+setup PDF link annotation
- https://donodofi.weebly.com/uploads/1/3/1/8/131856097/645af22f8b91e.pdfIn PDF document text
- https://lutomired.weebly.com/uploads/1/3/5/3/135316507/wosigijosin.pdfIn PDF document text
- https://lumigoxodavi.weebly.com/uploads/1/3/1/6/131606620/1221043.pdfIn PDF document text
- https://wipuzene.weebly.com/uploads/1/3/5/9/135971348/menemozerepakipefi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/xajowu/74781613025.pdfIn PDF document text
- https://s3.amazonaws.com/wujafivabipo/27028885992.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/47b96830-f8e6-4917-b74c-f6c3cf047e78/97967796105.pdfIn PDF document text
- https://s3.amazonaws.com/pidufozu/tatekapesopasokugim.pdfIn PDF document text
- https://s3.amazonaws.com/dorulusof/model_pembelajaran_behavioristik.pdfIn PDF document text
- https://s3.amazonaws.com/fogibi/86711841026.pdfIn PDF document text
- https://s3.amazonaws.com/banula/my_talking_tom_hack_mod.pdfIn PDF document text
- https://s3.amazonaws.com/lebaxa/ergotamine_davis_drug_guide.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/24b03d8d-a7f9-4e9c-b063-bb3c99d97cf2/96745702989.pdfIn PDF document text
- https://s3.amazonaws.com/ropuba/adriana_santana_nunca_foi_sorte.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/70b6750f-f6a7-4f1d-b5fe-e776a044925d/51206815480.pdfIn PDF document text
- https://s3.amazonaws.com/gelawiweza/viruvuwatubiwuselemu.pdfIn PDF document text
- https://s3.amazonaws.com/jesidofefe/xepusimarimiwekixelu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4ffcef40-9134-4a6e-998b-2eb5fd94bafd/blue_dapple_dachshund_puppies_for_sale_near_me.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1e529c06-7754-4696-a95b-4f994e259042/chapter_1_quiz_geometry_answers_big_ideas_math.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ea6087d1-b9b2-4afb-b3a2-b5f48bec7c94/how_to_learn_interior_design_software.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fca01129-c8bd-4ee8-ada5-aa92acf34b5d/what_to_do_if_ink_cartridge_cannot_be_recognized_canon.pdfIn PDF document text
- https://s3.amazonaws.com/muxozuvalubi/cookie_and_friends_a_flashcards.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e147.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE147 | 5324 bytes |
SHA-256: b26237e0f23510bb14645d92d3c1da347487b07c23803e4503bce4b8c4066258 |
|||
font_01_sfnt_off0000f374.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF374 | 21672 bytes |
SHA-256: a4f683706c43104f31a1f4c9b65cc30f59cb96f85f749220c9a4b458f038e54e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.