MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://xezojetit.ru/strik?utm_term=halo+warfleet+read+online PDF link annotation
- http://lologunaw.mygamesonline.org/eliseu_martins_livro_de_exercicios.pdfIn PDF document text
- http://kopuvimu.scienceontheweb.net/rizedufonufujotenonepabub.pdfIn PDF document text
- http://tavegumata.sportsontheweb.net/brennan_manning_all_is_grace.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://24218389-b518-4ca3-8548-65eaf758daa4.filesusr.com/ugd/c836c3_c58833b174eb43f0b4ffa03df2a0c507.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/tazopaju/lidar_lite_3_datasheet.pdfIn PDF document text
- https://s3.amazonaws.com/nitajosasa/vudexosijabugeveraladixaw.pdfIn PDF document text
- https://2065f6f1-29fb-48ac-a230-4f4ab2d4b746.filesusr.com/ugd/b62953_38971e0bbe1943b995b9636bc50e7390.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/dafumuxitupav/fifty_shades_of_grey_album_songs_mp3_download.pdfIn PDF document text
- https://s3.amazonaws.com/xufaxoferugod/how_to_install_evenflo_tribute_lx_car_seat.pdfIn PDF document text
- https://b6de9e3f-c562-4e05-b5ee-70895c8060ae.filesusr.com/ugd/3801ff_8e14cfb9cdd84e6593d6413d69a64d0f.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/dd65fe0a-c817-48d3-a075-b828b07c2eed/is_there_season_2_of_discovery_of_witches.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa06f13b-fe40-4cbd-a13a-038e88ebb587/19900619629.pdfIn PDF document text
- https://0315d410-4255-45a3-9477-873949dd02ac.filesusr.com/ugd/f85006_d4167aeb40554ba5a9236f0c22d58826.pdf?index=trueIn PDF document text
- https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_b6c8b29d7f5a49c196cf25f0dfe73bf7.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/xukonakefules/gopomigajotolo.pdfIn PDF document text
- https://s3.amazonaws.com/lotibabakuj/81277360595.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/873d9ccc-babc-4836-9627-07ecef8ec4c7/zapitetuber.pdfIn PDF document text
- https://73af689e-4c80-4f62-99d3-7a886641ad81.filesusr.com/ugd/3b5dd9_bb25b729902e44dab23634197e69f7c0.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/rafiralexezol/mipifumoju.pdfIn PDF document text
- https://s3.amazonaws.com/ladojenefe/ariens_snowblower_manual_926le.pdfIn PDF document text
- https://5efcf519-4c71-4be9-a00f-e1d47ba804c5.filesusr.com/ugd/ebcc4b_ad34134c68124d97b8de85019f897dda.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000101a8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x101A8 | 4776 bytes |
SHA-256: ac8340eae046812fd3e5476709443ad87a12419c660fc77936ae6ff4a390f4f1 |
|||
font_01_sfnt_off00011207.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11207 | 10412 bytes |
SHA-256: 6ea6c74f770589086623f9297c522b6485ec8bd7c6854fc782dabc8506ea53da |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.