MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' further suggests a malicious intent to redirect users through multiple domains.
Machine Learning
- Nyx PDF Classifier malicious score 0.9983
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crysiq.ru/pbw?utm_term=tres+metros+sobre+el+cielo+parte+3+online+subtitrat+romana PDF link annotation
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/7a0b036d-91f2-4478-af3b-c97afce2b391/the_last_airbender_2010_tamil_dubbed_movie_hd_720p_download.pdfIn PDF document text
- http://sazupamufode.pbworks.com/w/file/fetch/144449244/93224415736.pdfIn PDF document text
- http://wufamazajo.pbworks.com/f/cisco_networking_essentials_checkpoint_exam_answers.pdfIn PDF document text
- http://detomipipu.pbworks.com/w/file/fetch/144524676/87222301881.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ca026a91-33b8-489a-86d7-65a92a51edec/how_much_does_a_galaxy_s9_plus_weight.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a299a47b-d70d-4227-aca5-6b4fe15cc52b/face_recognition_based_attendance_system.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/85532483-9699-42fa-87f5-c72e4f3bed3d/rabutawexojalovizos.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d32748af-406a-4f3b-bc4e-3f5d5429e4ab/is_250_a_good_step_1_score.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a0baa138-6b04-412d-80c7-269d4c46d089/where_to_buy_ar_blue_clean_ar383ss.pdfIn PDF document text
- http://xuruzinijub.pbworks.com/f/vepabefegi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3985eed3-8931-450a-8f8a-773c32f759ee/what_is_the_blue_book_value_of_a_2015_chevy_equinox.pdfIn PDF document text
- http://wixugigir.pbworks.com/w/file/fetch/144460857/fuwitenubifitiwugazigoto.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5aaf421f-2ab3-4741-a7d3-68091288da5d/meaning_nature_and_scope_of_comparative_public_administration.pdfIn PDF document text
- http://banusiv.pbworks.com/f/a_que_se_debe_el_dolor_en_la_cadera.pdfIn PDF document text
- http://mukonisu.pbworks.com/w/file/fetch/144449982/4404356408.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/99d2573a-69b6-4ca8-801a-e3c99b2ba5ea/95962933175.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7bddecd1-cc5e-4afd-8ae6-2c057c83d8d3/libro_de_ciencias_fsica_2_secundaria_contestado_2020_travesias.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1715d6af-391e-4774-867f-83a0e958affb/kumon_math_worksheets_level_h.pdfIn PDF document text
- http://zexowisam.pbworks.com/f/bivujefarepam.pdfIn PDF document text
- http://sijomirurefi.pbworks.com/f/apres_un_reve_cello_sheet_music_imslp.pdfIn PDF document text
- http://wenitudodub.pbworks.com/f/70964939417.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/19726b0e-2400-4ff7-bd6b-11d4e5780a86/respironics_m_series_remstar_plus_cpap_with_heated_humidifier.pdfIn PDF document text
- http://jijagenaneke.pbworks.com/w/file/fetch/144450696/stahlwerk_plasma_120_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9270a6f8-4743-46d5-b7ca-cb37fb7c5014/21885092743.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off000130cf.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x130CF | 20192 bytes |
SHA-256: 2f8900d735a726fbd538a9b9ee61039a7b2643ec3a2daedd02017175ab87913e |
|||
font_00_sfnt_off0000e5ac.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE5AC | 5332 bytes |
SHA-256: 50f5fce1b795a406788502d988908f39d6fb88c060faca11a7b40687e2775365 |
|||
font_01_sfnt_off0000f7a7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF7A7 | 2916 bytes |
SHA-256: b300c0711c0b7bb2d324b90f32a768d03de8e899a59b444cd1ea421c31031880 |
|||
font_02_sfnt_off0001038e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1038E | 14900 bytes |
SHA-256: c78acd3fd16eead21fa1760091954a48c3498cfce7e9bbf964decc0c5cc3d92a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.