MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/123?utm_term=yaesu+vx-8+price PDF link annotation
- http://vengriya.space/titusajopazapaladaxeg2wni.pdfIn PDF document text
- http://detonicro.website/adobe_acrobat_10_trial9sx1z.pdfIn PDF document text
- http://carluxepaint.site/zizedapil8tgx.pdfIn PDF document text
- http://iuts.space/ridolitapofoxotawavild04p4.pdfIn PDF document text
- http://nasty666.space/funlux_camera_wont_connect_to_wifinixr3.pdfIn PDF document text
- http://onkoprofi.ru/154866563325hdt6.pdfIn PDF document text
- http://indonesia2health.online/apple_macbook_pro_buy_guideqnbls.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://7ef5d8b8-74ac-4e0a-b0a0-fa61ca6462a8.filesusr.com/ugd/23e9be_c2e5cc0a131c4bdf851bacf47ed1add1.pdf?index=trueIn PDF document text
- https://7162f0c1-3bb2-4775-9ad2-1e34613fb889.filesusr.com/ugd/595093_9c5f9ff010854181b7ea0cbc37afe085.pdf?index=trueIn PDF document text
- https://ba789de2-c385-43ee-b32d-a34c698d1993.filesusr.com/ugd/b7082a_bee8f5893c8140a0af04e2afa41d6250.pdf?index=trueIn PDF document text
- https://c63ca81c-6df4-4ec3-bc2e-8508f29a6879.filesusr.com/ugd/d48fe3_d717bb70ab8b48ccba36bbc76d7caa17.pdf?index=trueIn PDF document text
- https://e216d865-ddc7-438b-99b2-64609380b1bb.filesusr.com/ugd/7ae8b3_88fbbae6a96b4a55be9c84fe1912feca.pdf?index=trueIn PDF document text
- http://namupurifu.epizy.com/67716933488.pdfIn PDF document text
- https://6d5fec37-5936-4ae8-8938-03a86e982f09.filesusr.com/ugd/d4da64_d354c84d61574fe881e644f630aa5909.pdf?index=trueIn PDF document text
- https://ed7c5604-ec0f-4ae6-9d22-6d534b57d154.filesusr.com/ugd/1d5a3f_750e5b03cb5243f3b10c926502bea613.pdf?index=trueIn PDF document text
- https://ad323f3e-245e-4e3c-8b16-de91fefec063.filesusr.com/ugd/5ea691_a9fa6fd5b4af444da9f4bceea76ba689.pdf?index=trueIn PDF document text
- https://59bb578d-b312-442a-858b-1a1a54b18a6c.filesusr.com/ugd/c79b1c_6d615a5d782b4253ac3e6b249f7e4ee1.pdf?index=trueIn PDF document text
- https://dbba0f06-1911-40f0-8c80-a2638c7f81cc.filesusr.com/ugd/b13fd1_825af030ea21424d8b06bf7cc98b9970.pdf?index=trueIn PDF document text
- http://nutonujisebife.epizy.com/whirlpool_duet_sport_ht_washer_problems.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000146b0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x146B0 | 12340 bytes |
SHA-256: 5befc2c0a28b87294e14afaa6d40240885ff303b18db382f7caa3cd590315021 |
|||
font_01_sfnt_off00016ef2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16EF2 | 5208 bytes |
SHA-256: f1e0527bfa1e60f2ac2f13c497792a498861f21ed9e193ad7530ec0be13b9aeb |
|||
font_02_sfnt_off000180cf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x180CF | 13900 bytes |
SHA-256: bafcd16b7c90fd224dc62d6d11f1e3eac39ae65dd0efdb64fa1b60c919171f26 |
|||
font_03_sfnt_off0001ab91.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1AB91 | 16068 bytes |
SHA-256: 12bdfdd26b42687ed6d6e4673084773943fc64d80ea302008a05158b1f99f3df |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.