MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The PDF document contains numerous external links, many of which are part of a link farm, suggesting a phishing or SEO poisoning attempt. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document prompts the user to install a browser extension or update, a common social engineering technique. ClamAV also detected the file as 'Pdf.Phishing.Trojan'. The presence of multiple external URLs, including one pointing to a potential phishing domain, supports the classification as a phishing attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/wix?keyword=oregon+license+plate+search PDF link annotation
- https://cdn-cms.f-static.net/uploads/4408483/normal_604af58267bf6.pdfIn PDF document text
- https://kulitexujaw.weebly.com/uploads/1/3/4/0/134099612/8363369.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4403817/normal_6061e3bfc89ad.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4462362/normal_6006f7481899c.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4465690/normal_5ffbb0e71aaec.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4498994/normal_5fdd8896a0e28.pdfIn PDF document text
- https://zulemogosisuwo.weebly.com/uploads/1/3/4/6/134689329/7e423beb4a4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4376598/normal_5ff581df546e4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4468289/normal_5fce84f3dcaa0.pdfIn PDF document text
- http://noroxutapokuz.iblogger.org/56939784674.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4461509/normal_602edbbe1e40f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383577/normal_600de4755e44c.pdfIn PDF document text
- http://ravetigibe.22web.org/descripcion_de_los_personajes_principales_de_el_amor_en_los_tiempos_del_colera.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6cc786c0-c173-4a4e-b72c-223707023023/netgear_gs116e_v2_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f6d27faa-eafa-4f13-90aa-96addaf588e7/plantronics_voyager_edge_firmware_update.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ef84282a-cd45-424d-8f9d-20856b72416f/how_often_should_you_service_your_ducted_air_conditioner.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c9b3af78-3728-490b-b241-245ec19a5314/accounting_for_dummies.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fcae7002-691e-4b05-84a1-7e05de045fc5/journey_to_the_centre_of_the_earth_book_summary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/13251922-fce2-486a-add6-4f13400a1eeb/craftsman_drill_press_chuck_removal.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5739a64f-888f-4898-be93-0707fe103fb3/vatimepuwewowokobefez.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7759a598-5a8b-4b74-9e2b-0744eaf5340f/do_ceramic_heaters_work_well.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e22b09ec-ebb2-48f0-99d4-acef5c485f6b/24512042519.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ed35db3f-cf61-4f39-a997-2b6604db328a/81607859795.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e59d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE59D | 5224 bytes |
SHA-256: 908586a315d8f26be522b5483096422c3dddf102014bb38b9a9c4804ccbb2dc6 |
|||
font_01_sfnt_off0000f75d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF75D | 10412 bytes |
SHA-256: 0a8512c75872ff0d7b60d132279dac8e10850eae52c003c42a2126e1ee4ca242 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.