MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/123?utm_term=article+15+movie+trailer+free PDF link annotation
- https://cdn.sqhk.co/kuzaxepigi/hcqWZ5n/hello_yogurt_to_go_container.pdfIn PDF document text
- https://cdn.sqhk.co/tavanaru/hfqpgjt/skateboard_party_3_pc.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://44bb6ee8-a0fe-4f72-890f-0f0a2fec05cf.filesusr.com/ugd/b65acf_511b1fcff8794be893fe27b55322c1f5.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/28d0fdda-bb72-426e-a4fc-625c7e59704b/28116115644.pdfIn PDF document text
- https://s3.amazonaws.com/zomuzigo/10980134103.pdfIn PDF document text
- https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_a5e1b374ce6a4d6d9d3f3676f0850c9e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/279ab0c9-b7fc-4d82-8ed8-6d86d09e8421/90922045733.pdfIn PDF document text
- https://s3.amazonaws.com/difigomisosak/mystatlab_pearson_answers.pdfIn PDF document text
- https://68358877-4ee6-4e53-94f7-4bd9665c1f53.filesusr.com/ugd/3bbd68_d840ded43d8b4f20bdd31d10c6bfb801.pdf?index=trueIn PDF document text
- https://368051e9-4199-40ea-b9a2-dc6e6f83cb3b.filesusr.com/ugd/6260fe_49e3f2e9cf4c4f8f972d533153c2714d.pdf?index=trueIn PDF document text
- https://de2a8dfc-dc8d-4d62-be3b-f97abdd17bf6.filesusr.com/ugd/c722c2_faf87033b43f4f9f8938e6062b2e0a3a.pdf?index=trueIn PDF document text
- https://2d130471-2a64-48ba-87cf-8f1e86c6acad.filesusr.com/ugd/9c43ec_d01fd8c17ade48a99fff81b572a31d5d.pdf?index=trueIn PDF document text
- https://67dc9804-4028-4298-afd7-d431d2c16fe6.filesusr.com/ugd/559c84_c03cc29278f84cb79d19cd093abefb02.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/2f020f20-4dd1-4808-87dc-7fa0aca0ac9a/45070240018.pdfIn PDF document text
- https://56148a0a-83a3-4003-94ff-78d3044b7c00.filesusr.com/ugd/6f5f23_62a53545f5db494e95e289eb66ff4064.pdf?index=trueIn PDF document text
- https://d12e84a0-9808-45da-82c6-613dfe540d1b.filesusr.com/ugd/dc8a8e_7dda55d22fb346f6b3603527f5c019cb.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/xeroguru/spring_mvc_tutorial_gontuseries_youtube.pdfIn PDF document text
- https://ba10d46a-d7c1-43af-8542-f1a50f31aa8a.filesusr.com/ugd/4dded2_dbe62a65defb4162bdce91205228fa50.pdf?index=trueIn PDF document text
- https://65de77fc-0341-4fd2-89b2-cd6b005a91de.filesusr.com/ugd/cf79db_c9a4563f8ea2423091f93006109120cf.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/serogajugomiji/timex_watches_mens_sale.pdfIn PDF document text
- https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_8c0883cbbd974812bd325d00fa0e5dd8.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f181.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF181 | 5072 bytes |
SHA-256: 6aa28083eb896744d9a359f3959c5d74556f7fe1097822e3b0803b807f10f1fd |
|||
font_01_sfnt_off000102c1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x102C1 | 11580 bytes |
SHA-256: db8da0557e9cf9f9aa5c7766692a0b5e32db2e4f6aa0f5289a037aafef642138 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.