MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF document employs social engineering tactics, impersonating a cloud file-sharing service to trick users into installing a browser extension or update. The presence of numerous external links, many pointing to PDF files on file-sharing platforms, suggests a link farm or distribution mechanism for malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely involving the download and execution of a second-stage payload via embedded JavaScript or external URLs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Cloud document impersonation lure medium SE_CLOUD_DOC_LUREDocument impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/strik?utm_term=how+to+unshare+a+google+drive+folder PDF link annotation
- https://veborejekeraleb.weebly.com/uploads/1/3/4/4/134480613/825304.pdfIn PDF document text
- https://falojixij.weebly.com/uploads/1/3/4/8/134878909/tonesopofi_mesub.pdfIn PDF document text
- https://sefusozikoju.weebly.com/uploads/1/3/4/3/134366316/4919645.pdfIn PDF document text
- https://fifikasato.weebly.com/uploads/1/3/1/4/131437502/tasadigufegik.pdfIn PDF document text
- https://mexasazage.weebly.com/uploads/1/3/4/5/134513067/zepuzisupurara-jukaregoba-zexomazowutik.pdfIn PDF document text
- https://jabukosiw.weebly.com/uploads/1/3/0/8/130874379/vepaporeb.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/cf263e6f-38fe-4322-93e4-2425825c1d1d/75191107964.pdfIn PDF document text
- https://s3.amazonaws.com/ginutu/633205011.pdfIn PDF document text
- https://s3.amazonaws.com/bokofapig/vozokajo.pdfIn PDF document text
- https://s3.amazonaws.com/wavunot/panasonic_kx_tgp550_ip_address.pdfIn PDF document text
- https://s3.amazonaws.com/sigobija/11498221066.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9ce2ccf1-c2bb-4658-9172-4668022e442f/tipo_de_sistemas_operativos_y_sus_caracteristicas.pdfIn PDF document text
- https://s3.amazonaws.com/gewisetug/a_m_u_ka_full_form.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b50284f3-cd2d-46dc-aa7e-5b0da9227f5d/womufiruf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/876637c9-b2f1-484b-8c99-f959dc016e61/jumpstart_to_skinny_bob_harper_results.pdfIn PDF document text
- https://s3.amazonaws.com/xozeb/wosoguketotasutumarope.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3cab0a9c-ad51-455a-8c8d-9466065c6a79/el_reino_de_este_mundo_analisis_por_capitulos.pdfIn PDF document text
- https://s3.amazonaws.com/setaxilitozuko/letazajerugulinisozasemo.pdfIn PDF document text
- https://s3.amazonaws.com/pokixovuxik/99976320409.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7269bdfc-bd1d-4330-b081-145b133848bf/23333104413.pdfIn PDF document text
- https://s3.amazonaws.com/pezofut/english_as_a_second_language_grammar_book.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f401.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF401 | 5284 bytes |
SHA-256: a5626cc31562c0b343496c3dbaedecba4c44373977ee0f7a0816cdcf9bdcd9b6 |
|||
font_01_sfnt_off00010609.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10609 | 10500 bytes |
SHA-256: 73173ce68632b4bdc6c7a34ecdf8272845e6cca5f52749b30050d2e143e5e3ea |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.