MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation scheme. The presence of embedded URLs and the PDF structure itself point towards an attempt to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/123?utm_term=apscheduler+cron+format PDF link annotation
- https://tavumake.weebly.com/uploads/1/3/2/7/132740551/3e112a0439d64.pdfIn PDF document text
- https://kuburabet.weebly.com/uploads/1/3/4/3/134362545/1948851.pdfIn PDF document text
- http://pusikoxelumide.iblogger.org/40698466850.pdfIn PDF document text
- https://velumosatowe.weebly.com/uploads/1/3/4/8/134883763/sotumu.pdfIn PDF document text
- https://kejedavozeve.weebly.com/uploads/1/3/1/4/131483662/9b4d2.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://lexawelezalum.epizy.com/fupitelebelew.pdfIn PDF document text
- http://xarotuwegu.rf.gd/ruxosipazo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/101b7937-0473-43e0-8309-af2c68e8f242/mirror_of_common_error_english_book_download.pdfIn PDF document text
- http://familule.epizy.com/here_i_am_spirit_sheet_music.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9d41bde2-6db3-4dea-a907-e2b6b01e90b4/67795906534.pdfIn PDF document text
- http://gojaxuga.epizy.com/bootstrap_form_classes_list.pdfIn PDF document text
- https://911f1565-2faa-4874-b261-330d521e7362.filesusr.com/ugd/f46427_d7db50aaddb94cef97add8e8760ed3c7.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/562b0b2c-81d7-4e0c-9693-5b0d3f161043/what_two_colors_make_sage_green.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/38d62837-c1b0-4cfe-9b4d-c04108638ab2/4951501378.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8fd41474-1824-4ee8-ac56-cfd9b52fd8f4/plantronics_voyager_legend_uc_charging_case.pdfIn PDF document text
- https://s3.amazonaws.com/fomudebipefasu/80790287852.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9b7f5357-3e80-4f34-a58e-60935cc0ff99/halo_books_in_order_2019.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e5620624-1684-4928-b99e-8a9a86be9490/43790686391.pdfIn PDF document text
- https://1e8c0764-4a0f-46ab-84a2-5f63a8a44928.filesusr.com/ugd/6a0acf_4f886828dec045deba7b1be2fa74ee7b.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/336c67a8-6155-4a37-860e-1c1928e02a62/20849777448.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/02d82eed-cd92-4719-88c2-895f107ec9d9/fivipaw.pdfIn PDF document text
- https://s3.amazonaws.com/baxunaf/what_does_samsung_smart_remote_do.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ae0ec9cb-8f36-430b-8742-f0f6af65568b/special_right_triangle_worksheet_answer_key.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010146.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10146 | 5384 bytes |
SHA-256: d0557c4a980c7fe119d87a02ff19fb15cc64e41b15339c3cd07e76f1245a46a0 |
|||
font_01_sfnt_off0001136c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1136C | 12440 bytes |
SHA-256: 6f67c2ce1da0ac55d6c1eca3b47e05f3245bcf6dacd7743a7d057a400badfd52 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.