MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which are SEO-optimized and point to potentially malicious domains, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The ML classifier and ClamAV also flagged this file as malicious, specifically as a phishing or trojan PDF. The document body, though heavily obfuscated, appears to be related to 'Comptia cysa exam pdf', suggesting a lure for users searching for exam materials.
Machine Learning
- Nyx PDF Classifier malicious score 0.9819
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/award?keyword=comptia+cysa+exam+pdf
- https://zadopuvaja.weebly.com/uploads/1/3/4/8/134892734/8cc38042ab46c.pdf
- http://heliusdesign.ru/20806525341n4987.pdf
- https://xidoferowugefu.weebly.com/uploads/1/3/4/3/134348033/9416643.pdf
- http://feelslike35.com/mununavenxxk.pdf
- https://memetunariva.weebly.com/uploads/1/3/1/4/131454345/0824333728c9.pdf
- https://boripate.weebly.com/uploads/1/3/4/5/134590871/fc9fc8e14122e43.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/f7e49e25-1cc8-4a93-9ea5-c467de6a7191/14661198242.pdf
- http://sumoxajavagal.rf.gd/left_bundle_branch_block_treatment.pdf
- https://s3.amazonaws.com/senodiw/calculate_time_based_on_file_size.pdf
- http://pafewanofa.epizy.com/73876601478.pdf
- https://uploads.strikinglycdn.com/files/7e3b3634-8da1-427e-b68f-d6383a7dd8de/rulasotamanupalejekij.pdf
- https://s3.amazonaws.com/jebokizez/is_s9_plus_discontinued.pdf
- https://uploads.strikinglycdn.com/files/f241e67d-40f3-4ae6-8e71-96d5b4b5f652/fujubebekekezuxurag.pdf
- https://s3.amazonaws.com/nutanigonu/wapizuriwamabena.pdf
- https://uploads.strikinglycdn.com/files/a14f06d3-76bc-4010-8ea0-668d1b807671/48489300736.pdf
- http://zogaxemajov.epizy.com/combat_pistol_training_near_me.pdf
- https://s3.amazonaws.com/xasovewipeje/matlab_rectangular_waveguide.pdf
- https://s3.amazonaws.com/sewamos/penafututuxa.pdf
- https://uploads.strikinglycdn.com/files/ef7d6150-b3e4-4555-80e6-e20ffba0f7d3/7225217723.pdf
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f56c.bin39844e06dd85903e262cf177a93bbdc6b7b2a71ea57e98ac48fc490e9e936269 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF56C | 5248 bytes |
font_01_sfnt_off00010741.bin06b2ad67d7bee6ebfa91a0c8901930487e34719dda73d415cc10fee6239bff8f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10741 | 12604 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.