MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple external URIs, with one prominent URL suggesting a phishing lure related to 'progressive education'. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a phishing campaign designed to redirect users to malicious sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/strik?utm_term=what+is+progressive+education+pdf PDF link annotation
- http://tixaman.scienceontheweb.net/susukodajojidemifamopu.pdfIn PDF document text
- http://suziterunedoloj.sportsontheweb.net/31115117208.pdfIn PDF document text
- http://getebizip.iblogger.org/jack_reacher_2012_full_movie_hindi_dubbed.pdfIn PDF document text
- http://zajawezexefijuk.22web.org/cch_xa_trang_trong_foxit_reader.pdfIn PDF document text
- http://povisowalikim.scienceontheweb.net/vaxopigi.pdfIn PDF document text
- http://fopesekebamit.22web.org/memento_mori_full_movie.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://tewidunutazi.rf.gd/85761154070.pdfIn PDF document text
- http://luwekexopevom.rf.gd/barnum_musical_script.pdfIn PDF document text
- http://retesatitogeli.epizy.com/acer_aspire_one_cloudbook_11_ao1-131-c7u3.pdfIn PDF document text
- https://86a9da1b-0b57-4b35-a77a-523886b904cd.filesusr.com/ugd/0d9a50_a48ff4b1c63b4af0aa9601d812cbcebf.pdf?index=trueIn PDF document text
- https://cf2e1f24-e5f1-4289-9567-3affce9c164e.filesusr.com/ugd/a4ea6c_1da75f25d2e240d5a279d0cca1547255.pdf?index=trueIn PDF document text
- http://vimixof.onlinewebshop.net/wapegukuzak.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f81d1b97-26d0-4104-8821-15197bd954f7/where_can_i_donate_mens_business_suits_near_me.pdfIn PDF document text
- http://nalujisutu.epizy.com/how_to_turn_off_my_adt_alarm_system.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c95b57e1-62b1-48cd-9deb-6d734f5eb43e/kali_linux_commands_for_android.pdfIn PDF document text
- https://10bc5e17-7652-4c7e-9b43-999b3eb3b021.filesusr.com/ugd/5edc69_2cd85a2a014642f4bf6d1ccef0dcabaf.pdf?index=trueIn PDF document text
- http://wojuzixe.epizy.com/basubalofowod.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/97153c25-5e71-42b8-bc9f-2eb63d6d1b93/22011835042.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2a45560a-678f-4d8d-8c06-cab1c5f1624c/50183912569.pdfIn PDF document text
- https://2ddf8be6-044d-4f30-b6fd-16c032829cd6.filesusr.com/ugd/9827ea_7d3de119220a4a42b2565d1e3c309f20.pdf?index=trueIn PDF document text
- http://tujufevowupise.epizy.com/bissell_proheat_2x_revolution_pet_pro_cleaning_solution.pdfIn PDF document text
- http://gokegufokefewev.rf.gd/48518326226.pdfIn PDF document text
- https://78e27e65-9996-4239-a63d-7a21722db537.filesusr.com/ugd/03f576_207a01eaa7984b79b4a70a16f47fd815.pdf?index=trueIn PDF document text
- http://kesolimasakifi.myartsonline.com/wuzebevevowedigigofitiw.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f6ab.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF6AB | 5460 bytes |
SHA-256: 88f8114449a1fb681c3557a212900fdf41487fd27e61b2c708297363cb9e00c3 |
|||
font_01_sfnt_off00010950.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10950 | 11504 bytes |
SHA-256: 977950bba9ef4d30b8c7e4c0e77bca51a9bd7c1b2e8a61ec6016e644770a043b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.