MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded URLs, with a primary one leading to a domain associated with phishing and malware distribution. The heuristic PDF_SEO_DISPOSABLE_LINK_FARM indicates a large number of links on disposable hosting, suggesting a spam or phishing campaign. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to trick users into downloading further malicious content or providing sensitive information.
Machine Learning
- Nyx PDF Classifier malicious score 0.9987
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pelibifir.ru/strik?utm_term=how+to+get+money+cheats+on+sims+4+xbox+1 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4366625/normal_6028633bad05d.pdfIn PDF document text
- http://fodekofuxuvum.sportsontheweb.net/magic_tree_house_book_list_merlin_mission.pdfIn PDF document text
- https://cdn.sqhk.co/mogizilo/gfipY0K/download_game_wind_rider_mod_apk.pdfIn PDF document text
- https://mulodunewumil.weebly.com/uploads/1/3/4/3/134314444/244242a52faf9.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464739/normal_5fd3696d9e963.pdfIn PDF document text
- http://gamedv.design/540187141652d9ds.pdfIn PDF document text
- https://cdn.sqhk.co/febutatesu/Piexghi/55263528097.pdfIn PDF document text
- https://cdn.sqhk.co/libavesonon/bhiddhc/2685037641.pdfIn PDF document text
- http://abwaab.su/pakabunolofepaxaxufuw6utf.pdfIn PDF document text
- http://vuvabadiredowa.getenjoyment.net/cards_against_humanity_sci_fi_pack.pdfIn PDF document text
- https://cdn.sqhk.co/romilononove/09iajdm/debigupotekewa.pdfIn PDF document text
- https://jozisanolotodix.weebly.com/uploads/1/3/0/9/130969335/1650134.pdfIn PDF document text
- https://cdn.sqhk.co/zetoreli/ihp1Cii/apple_smart_charging_case_iphone_8_plus.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4455374/normal_60229f247d619.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4380705/normal_5ffda2efc5642.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4463529/normal_604ae5465ad3a.pdfIn PDF document text
- https://vabijerokajesi.weebly.com/uploads/1/3/4/5/134595953/5724951.pdfIn PDF document text
- http://it50disconto.info/21019613073a857l.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/3c0cf763-7051-485c-998d-c62e0a12663a/quran_english_translation_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7cce9d45-c6c2-4b1e-bf50-12bc0779a105/rowulepedanafawuvo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd11bd54-0ac5-4fa1-b590-59ccd0555ab6/kenmore_microwave_hood_combination_owners_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0ff0149a-5094-4f23-aa01-2379a883ad4d/zabejabibakuterupuvazesa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c409181b-fb47-464d-a2c1-feb3169d1af6/75697879680.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000148c2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x148C2 | 5588 bytes |
SHA-256: 50d95fc84e921089e0082616cd27a9a79df2c3f38531650a921a26543499774e |
|||
font_01_sfnt_off00015bd4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15BD4 | 11792 bytes |
SHA-256: 20f0bc02f2a34a861ae6bd50f23dbf01e299478424ad81d5bab303e1536bdd8e |
|||
font_02_sfnt_off0001844f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1844F | 16104 bytes |
SHA-256: d2703eec0843ee934b0a8bba7850da2550094fb4af61d17619ccbf35009047d2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.