MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many pointing to benign-looking PDF files, suggesting a link farm or SEO manipulation tactic. One of the extracted URLs, 'https://nipisod.ru/wix?keyword=the+fox+and+the+hound+book+amazon', is particularly suspicious and likely serves as a lure or phishing entry point.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nipisod.ru/wix?keyword=the+fox+and+the+hound+book+amazon
- https://tapizijivuvol.weebly.com/uploads/1/3/2/6/132696465/vikejuwidepowonowod.pdf
- https://mavitebe.weebly.com/uploads/1/3/1/1/131163983/wutorajunaz.pdf
- https://fuvuliles.weebly.com/uploads/1/3/4/9/134904701/80e3663371.pdf
- https://cdn-cms.f-static.net/uploads/4417024/normal_60344613b149f.pdf
- https://nesojusoxo.weebly.com/uploads/1/3/4/6/134631750/nonovegeri.pdf
- http://martakkord.ru/68972628152629i1.pdf
- https://dopijixofovaje.weebly.com/uploads/1/3/4/6/134692352/gunumajijivixu_wivisofug_wumekasog_famomikor.pdf
- http://pochta-24.cc/airthings_wave_review46f18.pdf
- https://cdn-cms.f-static.net/uploads/4489848/normal_603bdef3721d8.pdf
- https://bagekitavaseb.weebly.com/uploads/1/3/1/0/131070055/6579894.pdf
- https://lasogevedona.weebly.com/uploads/1/3/1/3/131398076/xulixow.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://c84ffda1-e72a-45fa-8ce8-a771970cf326.filesusr.com/ugd/9fd656_bb834afaa94c4105944c438cec4f7078.pdf?index=true
- https://3c1ad7ec-bfc7-452d-a92a-0d22078d3251.filesusr.com/ugd/c6e823_8b6e36fa1d2d4bafba6d28b0e1cbd202.pdf?index=true
- https://uploads.strikinglycdn.com/files/e03817f7-7449-4169-a4b3-aa26483991c5/96390258564.pdf
- https://uploads.strikinglycdn.com/files/69f1d834-c9dd-4e20-82fa-fd36fa3c9ed3/mavise.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c8eb.bine55c33b95bc6b76fb559a75fe21db6c5f602a166a34b3eb10c878ef510c8f7ff |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC8EB | 5112 bytes |
font_01_sfnt_off0000da3d.binc9997877a9a1ca4abc32795fc411a3614501d14b39dc1a5314d2c2e4b55cfc4c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDA3D | 10940 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.