MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9968
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jottigo.ru/wix?keyword=homeschool+performing+arts PDF link annotation
- https://cdn.sqhk.co/tivanosox/ig9jbgj/hello_neighbour_nintendo_switch_lite_game.pdfIn PDF document text
- https://tololomajaju.weebly.com/uploads/1/3/4/4/134472688/9936804.pdfIn PDF document text
- https://mexulurobe.weebly.com/uploads/1/3/6/0/136057308/6485083.pdfIn PDF document text
- https://cdn.sqhk.co/pelopuxi/3dwgehe/wabixegupirox.pdfIn PDF document text
- https://cdn.sqhk.co/zenekukera/ggbheij/child_care_tax_credit_phase_out.pdfIn PDF document text
- https://woxukobu.weebly.com/uploads/1/3/4/3/134392577/zomonivap.pdfIn PDF document text
- https://cdn.sqhk.co/ponajadu/9ifcnif/wejafovagu.pdfIn PDF document text
- http://yandex-delivery.cc/auto_collision_reporting_centre_oakvilletpdc8.pdfIn PDF document text
- https://tudisapa.weebly.com/uploads/1/3/4/6/134660317/jasusejivuluwel.pdfIn PDF document text
- http://kemytbok.xyz/biblia_peshitta_enx9jjd.pdfIn PDF document text
- http://static-start.top/is_the_g_shock_watch_waterproof28ao5.pdfIn PDF document text
- http://lovelid.xyz/types_of_biometric_systempm9h9.pdfIn PDF document text
- https://cdn.sqhk.co/wolonevavaru/iigXggP/alone_status_in_english_video.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/ae58594d-d313-46bd-af50-d58339c27b08/how_to_print_your_own_digital_art.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d33d5045-765d-40c2-9edf-cd4c1d077f4c/15600476419.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/95c290c2-b79b-441e-8530-3e004c0c7b0f/ruselidebagade.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/39b06711-be07-48d8-a3cb-964d4107640e/larolevetomudoru.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f93ecb8e-75d1-415b-9fe9-6e6dc6b65fe6/dagadalulixevisejabolesor.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b034f1d4-a0ff-403f-8551-4714d5701ea9/hp_cp1525nw_maintenance_kit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0a0e924b-d967-4120-a71c-2dd0e79bdc6b/seamus_heaney_beowulf_summary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ce8525d2-3bc2-471b-9d9f-6afb528195bf/zig_ziglar_wheel_of_life_assessment.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1c4a4b3d-1142-4cf8-854f-2ac0ee7132a2/do_division_2_and_3_schools_give_athletic_scholarships.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/44c979d9-c4c3-4778-a3dc-af4269ba4bb5/audio_oregon_drivers_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c3700278-bfb7-40c5-8f38-5b132fc7b0bd/who_pays_for_obamacare_subsidies.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e49445ec-6320-465d-b171-7aa6948c31f0/oak_study_desk_uk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/66ed93a4-eff8-4751-b90f-d8a1d3658ede/79279926324.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001697b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1697B | 5392 bytes |
SHA-256: d29b3415b3253cecd1ceb6eb7ded285597ce9bf8cba45acacf8e0dc748c16219 |
|||
font_01_sfnt_off00017ba6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17BA6 | 11172 bytes |
SHA-256: 784dc44a2d6d07cf78a900974f54f5fe35218197b3b27dd44e065d5226e56e25 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.