MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, with a critical heuristic identifying a 'PDF_SEO_LINK_FARM' suggesting a large number of links generated for SEO purposes. One of the primary links directs to 'https://jacksth.ru/award?keyword=respuesta+antigeno+anticuerpo+pdf', which is presented in the document body as a search result. This indicates a likely phishing or malicious redirection attempt. No scripts were extracted, but the presence of many external links and the ML classification strongly suggest malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/award?keyword=respuesta+antigeno+anticuerpo+pdf PDF link annotation
- http://watogoda.mypressonline.com/pigebe.pdfIn PDF document text
- http://xteenware.online/face_mask_wrap_around_neckg5ovv.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4410976/normal_5fc91d99d1635.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470703/normal_603d7c535f47f.pdfIn PDF document text
- http://idealica-ufficiale.site/936099397777byu4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4492281/normal_602d5eb95b7b3.pdfIn PDF document text
- http://drenajkrasnodar.ru/nejetubaziginamogilorg6msw.pdfIn PDF document text
- http://fallofelin.online/derivative_markets_3rd_edition_solutions2vmf6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380859/normal_6047dfc314bf9.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4388062/normal_5ff456ec002c5.pdfIn PDF document text
- http://tujukesabegakom.mygamesonline.org/fapapumatijiketenig.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/varolexexus/crazy_train_flute_sheet_music.pdfIn PDF document text
- https://s3.amazonaws.com/tanikanaw/edexcel_a_level_maths_books.pdfIn PDF document text
- https://6129906d-bc82-46a7-99f5-71793a58af3c.filesusr.com/ugd/d162e3_7277e0f8ff634870a8d50784864f8a03.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/naxozelozude/netgear_prosafe_gs108t_default_ip.pdfIn PDF document text
- https://s3.amazonaws.com/gifiz/70652806920.pdfIn PDF document text
- http://dowuvoduwitovos.atwebpages.com/bedilegumikegid.pdfIn PDF document text
- https://6bc61794-ec17-45f1-96eb-8bed4cd57308.filesusr.com/ugd/217b8a_4d260522da1a456facdde8ca3d1dfe2d.pdf?index=trueIn PDF document text
- https://7abbf572-6989-4614-8246-9d5ba34cd238.filesusr.com/ugd/af841b_4134b96d296a41f399147d2f81108a7d.pdf?index=trueIn PDF document text
- http://jenotuxeje.onlinewebshop.net/automation_testing_using_selenium.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f838.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF838 | 5300 bytes |
SHA-256: afc100ef9a1940eb909f97b0e2d6e033c2170dc2c2bb84410aa8526a48fc8bac |
|||
font_01_sfnt_off00010a57.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A57 | 12116 bytes |
SHA-256: adb7b33b7e58ba957a837ed789d36ff4f1a660907e92f01019cf1900bf51cff0 |
|||
font_02_sfnt_off000131f5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x131F5 | 16116 bytes |
SHA-256: a9678ba6cedec70d06cadf1dc5e665d7a98521a251f28c12b441c77d8e6f4dee |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.