MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a large number of external links, many of which are hosted on disposable domains, suggesting a link farm designed to redirect users to potentially malicious sites. The primary link points to a search result for 'java jdk 1.7 free download', indicating a lure for software downloads.
Machine Learning
- Nyx PDF Classifier malicious score 0.8930
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crysiq.ru/pbw?utm_term=java+jdk+1.7+free+download+for+windows+10+32+bit PDF link annotation
- https://cdn-cms.f-static.net/uploads/4493569/normal_60195675ecd3b.pdfIn PDF document text
- https://nusomosuguxapo.weebly.com/uploads/1/3/4/6/134693055/miniwubipozuju.pdfIn PDF document text
- https://gujejitemisadud.weebly.com/uploads/1/3/4/3/134354005/9971768.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4474750/normal_60b014192811f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490370/normal_6043efce6b6b7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450635/normal_6024b06831bc6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4369146/normal_6006549ce8728.pdfIn PDF document text
- https://semazuxogevagox.weebly.com/uploads/1/3/4/0/134017751/0cdb99f73a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378619/normal_60185104118fc.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4456114/normal_5fe1511395bfd.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4480173/normal_60589331f2145.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4409604/normal_606b69f41e7c2.pdfIn PDF document text
- https://zixatemanareku.weebly.com/uploads/1/3/4/4/134472678/3b8ce15f3.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/57cccef2-eb58-4d94-b5f7-900525f15cf3/18370186942.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3a1d8d1a-a429-46e5-9782-7e4925e2bf94/fezetizefamuvafogenarasif.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1837d22c-eba9-43a8-99c2-6685a8d92cc8/gta_v_activation_key_generator_pc.pdfIn PDF document text
- http://nigezid.pbworks.com/f/42297063644.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/572ccc4f-7299-4f79-b044-adec8b162f8a/how_to_get_out_of_a_lease_covid.pdfIn PDF document text
- http://xedidovetaw.pbworks.com/f/onn_bluetooth_headphones_user_manual.pdfIn PDF document text
- http://zajozote.pbworks.com/f/47466700590.pdfIn PDF document text
- http://wuwazilizos.pbworks.com/f/41261868018.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/987a2959-91a4-4706-b65c-4d7cb6f37c65/taylor_scale_model_1250_reset.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e9accfef-0a0c-4578-a4af-b9bc4a938051/51258067511.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0994634e-14ad-42f0-8e27-02aeea1f6f05/livro_sempre_ao_seu_lado.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e302.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE302 | 5924 bytes |
SHA-256: 8553e55a9a57cbc73e8260abb8e3145a39431be6e3831ce5c16de99b0e3c9b5b |
|||
font_01_sfnt_off0000f76e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF76E | 14540 bytes |
SHA-256: fa5e29b2fcac519e5ca4b2dc2419037c24a2f919ab50f6a2adc21a0f43d4f6c5 |
|||
font_02_sfnt_off0001253a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1253A | 16060 bytes |
SHA-256: 2cca29575edef7a9880cf400a7847cc5df22ba1ee7edc19c7b9bafe603f6c979 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.