MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains heuristics indicating it is a link farm on disposable hosting, with a high ML score and ClamAV detection confirming maliciousness. The embedded URL points to a domain that appears to be part of a phishing or scam operation, likely intended to redirect the user to a malicious website. No scripts were extracted, but the PDF structure and external links suggest a phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dugedepap.ru/123?utm_term=why+was+the+book+of+enoch+banned PDF link annotation
- http://urolog.xyz/khloe_kardashian_book_barnes_and_noblei93um.pdfIn PDF document text
- http://matrixbicycles.com/workouts_by_katya_week_4rg094.pdfIn PDF document text
- http://wijetaz.mypressonline.com/7730439340.pdfIn PDF document text
- http://tigitaja.iblogger.org/14554803079.pdfIn PDF document text
- http://shoop-fr.ru/92753080321n37sv.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/3a736aa6-9b27-431c-848a-fcce9bac7c4a/fekojedafokowaxub.pdfIn PDF document text
- https://47e244ab-6b1f-4ae7-97e8-86de5b619f9f.filesusr.com/ugd/e1d12c_6688e433be754d5e85734fabb66073f4.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f170a8d9-1ff8-4014-a164-81cce5b4008e/stihl_autocut_25-2.pdfIn PDF document text
- http://vowojuxibaxo.myartsonline.com/saga_rules_1st_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c244fc99-1945-4f10-861f-9129ec310fb4/77698881898.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c28c1471-2440-42f3-94cd-746b74de53c1/what_is_the_healthiest_breakfast_for_diabetics.pdfIn PDF document text
- https://ac09d6fb-20d1-47e2-97cb-2568fc137cdf.filesusr.com/ugd/03dcd4_fb7d95edcab64fc499c93d72a7a2257d.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a8ad2bd5-dcb6-4b74-a95b-10a0fee58c92/decoding_the_periodic_table_of_elements_worksheet_answers_key.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a49a4546-0bb5-4d22-9cb2-606c73e3adad/somewhere_over_the_rainbow_sheet_music_free_piano_easy.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7ab98977-e388-49b7-9b98-59c9458fae1b/pogojak.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/143ea442-ef30-43e0-ac89-e47d158cd242/first_alert_9120b_instructions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5c607d0c-0cb0-43c4-955e-94946243918d/new_syllabus_mathematics_textbook_1_7th_edition_solutions.pdfIn PDF document text
- http://kewivifonawati.epizy.com/medical_virology_free.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- https://savannah.gnu.org/projects/freefont/In PDF document text
- http://www.gnu.org/licenses/In PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00023a4e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x23A4E | 21788 bytes |
SHA-256: dc4c68578fce0b5b926e262d6af9d62bad92d6584b587ebacbfc2efbae7b5c29 |
|||
font_01_sfnt_off00027554.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27554 | 5392 bytes |
SHA-256: 856460565af360c720b1956a5804228895c6ced8d629255918c9b379b9047967 |
|||
font_02_sfnt_off000287cf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x287CF | 17992 bytes |
SHA-256: 53e53b3749bb2bf5a7e201096e4c028f419266d00dbbaa72564e4b6a17f907bd |
|||
font_03_sfnt_off0002bd99.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BD99 | 6348 bytes |
SHA-256: 39cf0bf0ab1dd839116514f2caf8ea90c110242a6d73144c26a1988c0e1c7f38 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.