MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/wix?keyword=declaration+of+independence+scavenger+hunt+answers PDF link annotation
- http://allieshouseofhope.com/83756309570ic4z9.pdfIn PDF document text
- http://impergamon.com/nupipajixanesapegafeomdnx.pdfIn PDF document text
- http://svoylend.xyz/quarto_de_despejo_download_gratiqi0s8.pdfIn PDF document text
- http://fonivoguko.medianewsonline.com/air_pollution_and_control_notes.pdfIn PDF document text
- http://best-store.club/pop_punk_road_trip_songsbsqkq.pdfIn PDF document text
- http://xatovapotogu.mywebcommunity.org/basics_of_javascript_programming.pdfIn PDF document text
- http://mmuuue.space/bigg_boss_3_tamil_promo_today8xs1u.pdfIn PDF document text
- http://lazadacostumercenter.com/42964654062rmidy.pdfIn PDF document text
- http://rubyshup.space/pilejawomebopemefimafjdkwd.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://101c3d73-5e22-4da1-a203-a3a2a794ce88.filesusr.com/ugd/69a512_fcfbcf37cd7f43d4a04018d0b99c6a44.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/42411722-ce38-4849-a422-e11f69d0f0be/zuvukuguxenufumezifija.pdfIn PDF document text
- https://ab25a8b3-4d80-4d4b-93a1-c1347014fa7c.filesusr.com/ugd/8d0191_af52ffd6eb2d4905a8d6296752584701.pdf?index=trueIn PDF document text
- https://574dee49-ee40-4737-ae02-340ce2b26f9d.filesusr.com/ugd/b44cf7_8b706291520a4effb1a37eb1e74c353a.pdf?index=trueIn PDF document text
- http://sogivuwe.onlinewebshop.net/5237306308.pdfIn PDF document text
- https://7f993087-45f6-41f4-96e5-9dcaca18fb91.filesusr.com/ugd/9a92dd_916a6955147643309479037575fc0dfe.pdf?index=trueIn PDF document text
- https://e474413f-ff6d-4b46-a00c-d4c33541206b.filesusr.com/ugd/ddecc0_3089d71ef6754a328035370080efe099.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a078eebe-9059-4283-bba4-9eb2bdaaadaa/the_art_of_color_johannes_itten_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bd3b2ba9-0b27-479e-8da1-aba35aafae52/craftsman_snow_blower_parts_diagram.pdfIn PDF document text
- https://5a995288-ce6f-4ae3-a3e6-14272d8003db.filesusr.com/ugd/7be1cd_139cdb5d7e23482d87eeb9238b0168d9.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/77d8ef0f-7a4d-4626-b3c8-59540d23a056/juxokelakuvimekidasinutu.pdfIn PDF document text
- https://2dc0326d-ac60-47d8-bf46-f2dc9d334570.filesusr.com/ugd/21b4a7_9aa150b4fa54443fb71a8325ea4f2157.pdf?index=trueIn PDF document text
- https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_d13034e68dc14bfca024b950524475d5.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/b895d8ea-90c3-4257-b433-c4e6f5a65207/damazizefok.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010aee.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10AEE | 5568 bytes |
SHA-256: 80167ce5fc5de8756272248eb30941d87054d558f601235a319fd1c1c5db5c6c |
|||
font_01_sfnt_off00011dfb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11DFB | 11768 bytes |
SHA-256: cc11b3eb969b5204192e5386b2280372fe2f76b3625cf3fcf60534e941f82db0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.