MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 User Execution: Malicious File
The PDF document contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO spamming operation. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document attempts to trick the user into installing a browser extension or update. This, combined with the ClamAV detection and ML classifier flagging, strongly suggests a malicious intent, likely to lead to credential theft or further malware infection.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://golowaki.ru/award?keyword=iota+amharic+bible+pdf PDF link annotation
- https://cdn.sqhk.co/tezakagadol/jdQYLmP/army_gd_admit_card_2019.pdfIn PDF document text
- https://cdn.sqhk.co/sologavabo/rghidjg/apple_music_download_macbook.pdfIn PDF document text
- https://cdn.sqhk.co/zosurinipin/j7Upluk/3940570926.pdfIn PDF document text
- https://busiwilepajij.weebly.com/uploads/1/3/4/3/134353274/sobawuxalow.pdfIn PDF document text
- https://cdn.sqhk.co/riwoxedaki/jgoijgt/lawine_report_tirol.pdfIn PDF document text
- https://cdn.sqhk.co/nuvowiraxuf/gdjariD/30781330109.pdfIn PDF document text
- https://rotarivinevi.weebly.com/uploads/1/3/4/5/134599250/588672.pdfIn PDF document text
- https://cdn.sqhk.co/fijajiles/gkgdmQJ/78903033908.pdfIn PDF document text
- https://fimekubolutad.weebly.com/uploads/1/3/4/5/134585071/taxutijarajomex.pdfIn PDF document text
- https://towowiwegopute.weebly.com/uploads/1/3/4/0/134019464/kipazag_zatemed_sabironujojeze_rovunemo.pdfIn PDF document text
- https://cdn.sqhk.co/malevevipali/diaggh8/robotics_notes_switch_double_pack.pdfIn PDF document text
- https://cdn.sqhk.co/wijelukifap/gft3heY/sigujaxudomiselupowetase.pdfIn PDF document text
- https://gurawibozogudex.weebly.com/uploads/1/3/0/7/130739732/zipinedina_vebipamorowejep.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/59dd1a7f-ff4c-44a8-bd3d-74d00ec29204/2020_uglys_electrical_book.pdfIn PDF document text
- https://5ac9d038-517d-4536-97f6-676423289421.filesusr.com/ugd/b444d4_7b58d33544484e0ca19df42a9e1f7093.pdf?index=trueIn PDF document text
- https://0ed7c29b-d5f2-4290-8b47-add6aa38300d.filesusr.com/ugd/32a223_fac280dace814b09ba37fb172797fec9.pdf?index=trueIn PDF document text
- https://b3709dad-42f4-4621-9b7e-74d31ca978cd.filesusr.com/ugd/f91cf1_90ea942775b1491b94dde95eaaa54358.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/5de711ad-9d9b-40af-8a98-dd840f16aca6/50914750006.pdfIn PDF document text
- https://73e25548-3913-4bbb-aa69-a1b25f69568d.filesusr.com/ugd/cece23_cf5c900ee13248ab932a3121d5df9394.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e108.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE108 | 5296 bytes |
SHA-256: 6147915b02b9ceb0e128bfe11fc4656fd6619b51e9a89e2fa0ae7e32668eadb0 |
|||
font_01_sfnt_off0000f2dc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF2DC | 10624 bytes |
SHA-256: 1b80782d2d1c97ec3725e066452e35349205377645abc5378ed0cd70680cafa6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.