MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://kuzutuzo.ru/strik?utm_term=power+conversion+cc+to+hp PDF link annotation
- https://xunatopek.weebly.com/uploads/1/3/2/7/132710497/f2fe78.pdfIn PDF document text
- https://sudewivevumofe.weebly.com/uploads/1/3/4/0/134042571/3540844.pdfIn PDF document text
- https://sidusumidiwef.weebly.com/uploads/1/3/4/3/134366372/621f1e1a8e9c.pdfIn PDF document text
- https://dalowosa.weebly.com/uploads/1/3/4/3/134383453/9415815.pdfIn PDF document text
- https://logomuwijo.weebly.com/uploads/1/3/0/7/130738525/078eb.pdfIn PDF document text
- https://juzopuxenepin.weebly.com/uploads/1/3/5/3/135383483/nutuku_wujalid_totizanuxuditaj_bonema.pdfIn PDF document text
- https://xuwapitevakud.weebly.com/uploads/1/3/2/6/132682402/9344192.pdfIn PDF document text
- https://getedizexagan.weebly.com/uploads/1/3/0/7/130740146/4691793.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/13dd41f0-08ed-4130-8243-b1e507bc19e9/nitenanoxumeta.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c505325d-f65f-44d5-954f-f7a4aeb59310/exercicios_termometria_enem.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/29d05308-124d-4a9e-8e2d-ce11a4e89860/percy_jackson_the_lightning_thief_full_movie_in_hindi_dubbed.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2c44138d-ae2e-4bdb-8964-c36dce7bd984/a_murder_is_announced_1985_cast.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/72cba901-804d-43e6-b85b-8d89c37ad0e4/tagepakiwagiluvevez.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/152c345d-e091-4bed-946a-8d7288f43cd2/jugolosigexaga.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2bd3316f-bfea-4d9c-b0e3-eb17670a207a/63225298480.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f2cdf0c9-c665-445f-b0f5-5ee2bf405fe4/army_drill_sergeant_school_volunteer_packet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/35d0b2bf-b2ce-4e9a-b0c6-b1a729147dd3/72532086018.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/36e55e0d-f7b5-41a3-b8de-72557dcb023b/kijakoz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/080fed84-50b3-428f-8268-de5cd5b16ce8/16908571338.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/78dc840d-e974-4b9b-9a37-fd7fcd0f994b/33450737295.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00107c85-c6a3-48d4-b04a-679f4aafd25f/tusifovuboriso.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/802d4e91-8802-40c4-96c3-b1f206a728fb/33877935480.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fb3b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB3B | 4932 bytes |
SHA-256: 5859fd16a0bf01df76f3e2de67dc6ba5a8eb259b448e87279d945ab500bccd97 |
|||
font_01_sfnt_off00010c1e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C1E | 11204 bytes |
SHA-256: 1cfdf855bdf2e1612726a0122c7ff9c2552f4a03bbefddb82c28832f87ceb426 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.