MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, many of which point to SEO-optimized redirectors designed to phish users or distribute malware. The heuristic 'PDF_SEO_LINK_FARM' and 'PDF_SEO_UTM_REDIRECTOR_LINK' indicate a deliberate attempt to create a link farm for malicious purposes. The primary malicious URL identified is https://zajinet.ru/wix?keyword=ohio+county+numbers+50, which is likely used to host or redirect to malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/wix?keyword=ohio+county+numbers+50 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4443814/normal_602df6f060ee4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4408176/normal_5ffef1e832cd1.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7e711970-327b-402e-8f2d-a8acd39151d0/grammar_quiz_grade_6.pdfIn PDF document text
- https://s3.amazonaws.com/gajabedafot/world_war_z_ps4_gamespot.pdfIn PDF document text
- https://s3.amazonaws.com/bezutu/87429211630.pdfIn PDF document text
- https://s3.amazonaws.com/tezude/xutaxobetolini.pdfIn PDF document text
- https://s3.amazonaws.com/tokatefozude/79973367677.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3884191e-1b19-44b1-bc59-9c70d694f59a/16426463563.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7b962be1-c21a-4dc1-9f90-8a4fefcecf43/2012_toyota_highlander_owners_manual.pdfIn PDF document text
- https://s3.amazonaws.com/zamuriza/what_is_the_meaning_of_the_corporate_veil.pdfIn PDF document text
- https://s3.amazonaws.com/zabejuvijolu/fananusigowaje.pdfIn PDF document text
- https://s3.amazonaws.com/mubemutolewe/cisco_firepower_2110_data_sheet.pdfIn PDF document text
- https://s3.amazonaws.com/dazifozixawus/vp_of_data_science_salary_san_francisco.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e4617d32-1736-4bd9-9d0f-18c14891fd46/central_route_to_persuasion_ads_examples.pdfIn PDF document text
- https://s3.amazonaws.com/zetubakuz/fijemelosibizajezirode.pdfIn PDF document text
- https://6baea7ca-81e4-4a11-8410-716433a99462.filesusr.com/ugd/764aaa_c6e7081019ab4e01ae2a9dd0b262794b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/jenisozazewubo/71890211714.pdfIn PDF document text
- https://s3.amazonaws.com/sinamozagemoger/indices_and_logarithms_exercises_and_answers.pdfIn PDF document text
- https://089130c0-62ae-4bf1-a93c-656440fe8451.filesusr.com/ugd/738632_dec20ef4d6ba4f79a630cf5798c5f4c8.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f601.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF601 | 5332 bytes |
SHA-256: 5685cbc05ae363c2990bb9fb5a443e25f7859c52cfb519f4690efac76745c580 |
|||
font_01_sfnt_off00010802.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10802 | 10940 bytes |
SHA-256: a859664f8658d81c811f1038fcb294ab644d1bd32953a41408f33020aa6f84a0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.