MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. The heuristic 'SE_PAYMENT_REDIRECT_LURE' indicates the document attempts to trick users into believing there are new or changed bank instructions, a common tactic in business email compromise attacks. The presence of numerous external links, including one to 'seumenha.ru', suggests a link farm designed to redirect users to malicious sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LUREDocument describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://seumenha.ru/strik?utm_term=suction+dilation+and+curettage+under+ultrasound+guidance+cpt+code PDF link annotation
- https://cdn-cms.f-static.net/uploads/4468294/normal_6035a420f07e8.pdfIn PDF document text
- https://nunodovov.weebly.com/uploads/1/3/1/3/131380210/bekuvewesifo.pdfIn PDF document text
- https://gotumofavi.weebly.com/uploads/1/3/4/6/134602885/5675195.pdfIn PDF document text
- https://bawimivumo.weebly.com/uploads/1/3/4/6/134609907/jutizanobuf-vodalisax.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4381297/normal_5fccfccf2bdae.pdfIn PDF document text
- https://siregudak.weebly.com/uploads/1/3/0/7/130738759/suviz_posik_jomowipafo_pelokiwekatoj.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450043/normal_6020b01e6e5c2.pdfIn PDF document text
- https://sitepofom.weebly.com/uploads/1/3/1/4/131438718/xogezasorun_tisaxupinu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/jasadavebaga/bamagunofilewok.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f3166017-2905-4fc4-ae93-74828f579930/dowufonomuwizubaradapeg.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3cee0e35-e3a0-45fb-a493-b24c0ff5d007/should_you_use_quotes_in_a_summary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/20a7f97f-9c37-41e4-8164-f07ec45b8470/what_days_are_stock_market_closed_2020.pdfIn PDF document text
- https://s3.amazonaws.com/luxaduzimase/access_control_policy_and_procedures_template.pdfIn PDF document text
- https://s3.amazonaws.com/rodigapigeta/dell_xps_8300_bios_update_a07.pdfIn PDF document text
- https://s3.amazonaws.com/tawovojo/14208981179.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7206109c-1142-42a5-9a55-85f680d70685/kubota_zd331_repair_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0de227e2-bb07-4b72-ba92-63ed6b1d3a3f/gumojewejerexasetifakor.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f489.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF489 | 5344 bytes |
SHA-256: 951f8dff7c54fe76827b89d6840d07d8955a00e3c17842b3dd97ae9b894a9df1 |
|||
font_01_sfnt_off000106c5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x106C5 | 10828 bytes |
SHA-256: 73d068d5717c9b72e6a198dd08f54037daf062d171c4b96d5785497107203731 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.