MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, containing numerous external links, some of which point to disposable hosting. The primary URL identified is 'https://seumenha.ru/wix?keyword=elder+scrolls+online+pickpocket+guide', suggesting a potential lure or SEO manipulation tactic.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://seumenha.ru/wix?keyword=elder+scrolls+online+pickpocket+guide PDF link annotation
- https://cdn-cms.f-static.net/uploads/4460981/normal_601bcb126b526.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4490365/normal_601fb45d3173a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4496826/normal_5fd70a24922f0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426944/normal_603319adf2b56.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380867/normal_60239eef8de6c.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://35479656-6a94-44d6-ac55-da507c14a2ae.filesusr.com/ugd/d68318_5b4c6f4e6e1d49d59644c8a99f162b30.pdf?index=trueIn PDF document text
- https://737c154f-ca75-4484-807d-9d5c19d76377.filesusr.com/ugd/7e84b7_57383dea7d0c4ab3bce3aa07ae0bba97.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/def8b7df-da5a-4992-b5d6-5d27e469a98a/thesis_statement_worksheet_college.pdfIn PDF document text
- https://9042e326-c85f-44e6-b9b6-0c206471fdba.filesusr.com/ugd/0d2fda_866e6d2920db464dae39d053e450aac8.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a4a95a17-d883-409c-aa96-40cef8d6c7e1/dutexuma.pdfIn PDF document text
- https://bcd7deca-fd5d-492b-a220-d373ca515bc9.filesusr.com/ugd/12f4eb_7d812a31fe0147b6940cc2346d829d19.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/738fefc0-a0c4-4284-893f-7ad1ebcb9bad/95255394267.pdfIn PDF document text
- https://52a1af19-6946-4c37-aba6-ab00a30e4874.filesusr.com/ugd/5dc3ca_38b5d973718f4ebaa46c750c1d158dec.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/fadobirak/chipotle_burrito_box_order_form.pdfIn PDF document text
- https://01d67eed-50ba-4ccb-8f82-c1581f7ed07e.filesusr.com/ugd/e3325f_d9271b78a3bf47d9ad066ac02578d892.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/b63ecbfb-12a0-48a4-a3ca-fd1ddddd2ad6/lekenijinololipewikudilig.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1e54fd64-e3f6-4a45-8969-0c0a07d1bd35/what_should_the_tire_pressure_be_on_a_2015_jeep_grand_cherokee.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7168e699-320b-48b7-9b22-b2408213c349/8904699728.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cac17d3d-56fc-4129-aeb3-6ad2aa6ec223/how_to_help_dyslexic_students_with_reading.pdfIn PDF document text
- https://s3.amazonaws.com/gajakelegeza/vusufobaven.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f4cd17ea-058b-4aef-80c0-e4de403c0784/stephen_king_cujo_book_summary.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f021.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF021 | 5052 bytes |
SHA-256: 8e85f4080edf9611194ce2b27aef5fb32758d7a47ab628818d9eb1b843795a85 |
|||
font_01_sfnt_off0001016d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1016D | 10392 bytes |
SHA-256: ae9d30f190aeaee6e5a1aadc262db19e421df466b8639a45ad53c92d8b696b17 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.