MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document contains a large number of external links, many of which are hosted on disposable domains and appear to be part of an SEO link farm. The primary malicious URL, 'https://allytemp.ru/pbw?utm_term=endgame+watch+online+123movies', suggests a lure for pirated content to drive traffic. No scripts were extracted, but the PDF structure and link farm indicate a malicious intent to redirect users to potentially harmful websites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://allytemp.ru/pbw?utm_term=endgame+watch+online+123movies PDF link annotation
- https://static.s123-cdn-static.com/uploads/4391315/normal_5fc90a87016a1.pdfIn PDF document text
- https://kiloroxo.weebly.com/uploads/1/3/0/8/130813762/0f9f0e8c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4393363/normal_602a1a5cdb404.pdfIn PDF document text
- https://luxatowukubise.weebly.com/uploads/1/3/7/5/137508256/kewetiv_minemoki_jinepak.pdfIn PDF document text
- https://fusagepewaliwe.weebly.com/uploads/1/3/5/3/135325652/1837520.pdfIn PDF document text
- https://josusijino.weebly.com/uploads/1/3/0/7/130739082/09c496f25.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b903fbe8-dc3f-42de-879f-604e6e00d235/how_to_use_omron_5_series_blood_pressure_monitor.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/367fbed7-5dbc-4131-96a4-5249c0dbd2cf/42066386399.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/42da25d5-ff05-42dd-b30d-b49d1334afb8/zefabelotakelarufufifiwi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/314623f4-7468-4eea-8a54-e11a8bdc6732/lubefazidajebav.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/42c49c9b-c645-4653-a3dd-59a8be65ec39/wordly_wise_3000_book_5_lesson_5_test.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c193dd71-a5c1-44fb-8766-77c0fc9c09b9/89398054284.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8e13ed77-d3ea-4bef-9d0f-b5acf8418eff/texefeserugatexiwukuwix.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a546b09c-73bb-42cf-a078-1edd4ee2b9c4/26719862259.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/26f1f376-c33c-4fe4-802c-c147df4c2d85/93303195868.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fe4ac378-4008-4300-b751-0fee66de66ad/blackpods_user_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3368a71a-7ed1-46da-a41b-659d1d1b591f/60575963504.pdfIn PDF document text
- http://jotoxipigi.pbworks.com/w/file/fetch/144584154/tipos_de_poblacion_en_metodologia_dela_investigacion.pdfIn PDF document text
- http://zixereves.pbworks.com/w/file/fetch/144532332/15951989386.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4502545c-4ea6-4176-a913-13b71ef4c3f3/arris_tm822_modem_specs.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c7de2e80-f041-4185-8ee4-8e053fea9f93/how_to_unfreeze_ge_ice_maker_water_line.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e27d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE27D | 5712 bytes |
SHA-256: 7a4212a39141c094100ea900c641fa84fe72f016d940edf4c442081c2ee516f6 |
|||
font_01_sfnt_off0000f5f3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF5F3 | 10900 bytes |
SHA-256: 15e34837b43bfbb825e3d0ff0fe05d40f8b475e004bfa6e1cccd8620a121b41c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.