MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jottigo.ru/strik?utm_term=how+to+pair+samsung+remote+with+roku PDF link annotation
- https://cdn.sqhk.co/xadowififux/dZ6ahae/55408580448.pdfIn PDF document text
- https://cdn.sqhk.co/kivipemo/gciihgY/luzelak.pdfIn PDF document text
- http://alphabitx.com/pronosticos_en_los_negocios_9_ediciomvo2b.pdfIn PDF document text
- http://kvadro63.ru/how_to_change_standard_form_to_slope_y_interceptmg4t4.pdfIn PDF document text
- https://cdn.sqhk.co/loganidob/jlZRjez/swot_analysis_chart_example.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/46d7b47b-7f37-4944-83e4-5e4ab98faacd/waxogokadawovipufojiw.pdfIn PDF document text
- https://e42ce0b3-f376-4cb5-9abe-507fdbb9570c.filesusr.com/ugd/603474_0f8b39b93e2f450cadbbdb68afd027f8.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/4b33d1ab-c1dd-46c0-816c-a6889ce6cd0e/28493436659.pdfIn PDF document text
- https://fe92b815-f0fe-4223-924b-659339f44b90.filesusr.com/ugd/8f64fc_f7a5a87a01b0487195a7b7ce3b89f1cb.pdf?index=trueIn PDF document text
- https://8d684a1e-4078-49cd-b336-05adf09473b6.filesusr.com/ugd/2b25e8_b3ddb672f4694c51b569d972c8ed4d79.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/5dbb9d53-a861-4bd7-8876-d0678cb4c78d/58963920230.pdfIn PDF document text
- https://91ca87c2-c493-4616-adaa-fbcec45394e1.filesusr.com/ugd/6116da_fe530c1941d24dbf8aef565a1563d440.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/b7db0200-0d03-41bc-b263-1fd30dda1442/25331248447.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0da4a9e1-459f-4e48-8def-259a45b4239c/what_are_aa_traditions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1755d727-b8d9-4c92-a25c-f4cefd25333f/58763628187.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c424e1b7-6f38-45f4-9e5e-0876c57338cd/what_is_step_2_in_aa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/07e587ae-f258-4c09-b8c0-5572df5e54c0/lilevofirawubumubugi.pdfIn PDF document text
- https://20996a60-9695-4f45-8fdb-44bdc783da55.filesusr.com/ugd/c57cae_8343dbcb561e42ecba20ffc50e298795.pdf?index=trueIn PDF document text
- https://ca483b97-61ac-4196-bca0-6b249c18eca9.filesusr.com/ugd/b27199_f7af647f3b0f419686ea64ea142c3ef5.pdf?index=trueIn PDF document text
- https://fa53e508-d88d-41cb-897c-7a5b6f1bfcc3.filesusr.com/ugd/361045_5c57683564384c459bf3ed89c7671388.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00015d67.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15D67 | 5316 bytes |
SHA-256: 69612ac54906cdf2841f7c6bb7fe08768185c0e2e94a08728806b0b912d7d818 |
|||
font_01_sfnt_off00016f5e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16F5E | 11616 bytes |
SHA-256: 94a141cac0fba4ee1e59a830910183ec2d38adeab0017fcc1da4fbe24c02cf8f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.