MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing operation. The embedded content, though heavily obfuscated, appears to be part of a lure to direct users to these external sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bologen.ru/strik?utm_term=the+fast+forward+mba+in+project+management+4th+edition+by+eric+verzuh PDF link annotation
- https://gojafone.weebly.com/uploads/1/3/4/8/134891791/tufimumomavizur_xaxinexoxe_gosopifokav.pdfIn PDF document text
- https://fazokovonopa.weebly.com/uploads/1/3/5/3/135329702/9a971eb.pdfIn PDF document text
- http://formverifiedbadge.com/disneyland_paris_rides_mapbxr4q.pdfIn PDF document text
- http://akmurzina.com/graco_magnum_x7fkz07.pdfIn PDF document text
- http://ru-1.casa/conventions_in_writing_checklist79v0a.pdfIn PDF document text
- https://naweviwezufas.weebly.com/uploads/1/3/1/8/131856142/1a413.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426687/normal_600ddcddc0d4f.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4451355/normal_5fcf27711992d.pdfIn PDF document text
- https://wipibadosu.weebly.com/uploads/1/3/4/4/134438179/3027132.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415962/normal_6052fe4b8f504.pdfIn PDF document text
- https://kojazuzok.weebly.com/uploads/1/3/1/4/131438397/4716693.pdfIn PDF document text
- https://kawikixefi.weebly.com/uploads/1/3/5/3/135388441/eaa63a0.pdfIn PDF document text
- https://fimosezit.weebly.com/uploads/1/3/0/7/130775491/zapefages.pdfIn PDF document text
- http://domavera.ru/coursera_introduction_to_big_data_quiz_answers3a2sw.pdfIn PDF document text
- https://mufusudakewita.weebly.com/uploads/1/3/2/6/132681672/5650059.pdfIn PDF document text
- https://sizolofowexowar.weebly.com/uploads/1/3/5/3/135350689/532fe9ef784f.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://5663e088-3595-439c-971a-5873693bee35.filesusr.com/ugd/e98895_a62e3b4291cc4aae84ce719ffe84a18e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/54bfabfb-ecb4-4de5-b1e5-847aa07b7b02/98530982516.pdfIn PDF document text
- https://fb5b3b17-6e6a-47c5-ae49-26eddba71e57.filesusr.com/ugd/aff7be_6f50684329b44df4adcc518f7814c958.pdf?index=trueIn PDF document text
- https://5e9c932d-19a8-4d5a-a970-d4bc0bcb832b.filesusr.com/ugd/bae0a0_6cf53f0d2dff41c3963eb743f2d39378.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/76150e2e-9f98-473c-bfdf-cf738a4b0db9/mawabexezudowirukugozofaf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8434d71f-cf1c-4d82-9500-fd9db453ed8e/nancy_drew_tv_show_actors.pdfIn PDF document text
- https://e0bfa911-60eb-4c53-bd8d-ceec25156dfb.filesusr.com/ugd/0a052f_87ad0b4de08f4d8e8391fad79d2ba849.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e6f9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE6F9 | 6092 bytes |
SHA-256: 9cf7e80d41e77e778eabb0a19f0df3004223ab75dae93b51af0388066363aeaa |
|||
font_01_sfnt_off0000fbb5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFBB5 | 10648 bytes |
SHA-256: 850b64473831a688d9e5588cd22ea41de0f2751ec553223f1574de4411794dee |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.