MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
This PDF was flagged by multiple heuristics as suspicious, including an invisible link to a suspicious domain and a link farm on disposable hosting. The ML classifier and ClamAV also identified it as malicious, specifically as a phishing trojan. The embedded URLs suggest a phishing or malware distribution attempt, likely using a lure to trick users into downloading further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LUREPDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xajibur.ru/strik?utm_term=a+game+of+thrones+book+chapter+summary PDF link annotation
- http://dhl-order.info/sherlock_holmes_the_emerald_crown_espaoli5d9o.pdfIn PDF document text
- http://zozegakipuvi.iblogger.org/platform_definition_in_tagalog.pdfIn PDF document text
- http://visionnew.xyz/150237531014kf0g.pdfIn PDF document text
- http://gouliwer.online/wenumonabalobazanusiym68.pdfIn PDF document text
- http://ninefukesat.iblogger.org/kjv_apocrypha_concordance.pdfIn PDF document text
- http://streichpack.online/viwujezarl5ac.pdfIn PDF document text
- http://swiss-gear.shop/figuvopefif4agu6.pdfIn PDF document text
- http://rmk4sale.xyz/functional_programming_in_python_oreillypiwft.pdfIn PDF document text
- http://study-english-02.space/18989364904bwpza.pdfIn PDF document text
- http://temilops.xyz/maravilloso_desastre_pelcula_2018ggut6.pdfIn PDF document text
- http://consequences.space/zovosatupanubobalozudinuc4e8.pdfIn PDF document text
- http://managerprogram.live/fozunoxubopudoxeaql.pdfIn PDF document text
- http://basijinogasa.22web.org/71730964892.pdfIn PDF document text
- http://hookup757.fun/zefutisiyfmsd.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://9e9203d9-9f5b-42f2-a849-05e42d741f90.filesusr.com/ugd/3527d5_ac61159113e744c4b0b459a7f3508d79.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/07f2d931-3faa-4683-8922-150adae17d8e/the_ultimate_guide_to_tarot_a_beginners_guide_to_the_cards.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2b73e5ff-4258-4c13-a1e9-b2da5882ddf0/lifezesiwodup.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bab0e751-ee11-4c2f-99e1-80ac886af977/5641542135.pdfIn PDF document text
- https://144ece88-722e-4d59-a9d1-ae16887514c2.filesusr.com/ugd/48b17f_aefe096bb8674cb9ad808239759f62a0.pdf?index=trueIn PDF document text
- http://lotumimo.epizy.com/vulewapebekiradavugageva.pdfIn PDF document text
- https://9005981c-20a7-4b93-9dfe-a591c0bc6fcf.filesusr.com/ugd/afbba5_f0824eee65904d57aa0a70853c739df5.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fd8f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD8F | 5692 bytes |
SHA-256: c7f7e4e10595d686f0345637eaa59429ece4ea73886d681a50ea1f663d6ab89a |
|||
font_01_sfnt_off000110d9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110D9 | 11156 bytes |
SHA-256: d4fe0a1abf1fdf74390d3539036f39e4f472a7e6bbcc8a93a22e1710fc64f282 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.