MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/wix?keyword=compound+predicate+worksheets+with+answers+pdf PDF link annotation
- https://winomumamo.weebly.com/uploads/1/3/1/0/131070375/4837502.pdfIn PDF document text
- https://banafazag.weebly.com/uploads/1/3/4/3/134325205/dutemepolobi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4465919/normal_601920f3f39a6.pdfIn PDF document text
- http://tekeriset.iblogger.org/57026364448.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4421641/normal_6038494833fa3.pdfIn PDF document text
- http://vabenawak.iblogger.org/wokefirebudum.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4369498/normal_5fc88ea5366bc.pdfIn PDF document text
- https://xuwowazasoko.weebly.com/uploads/1/3/4/0/134041707/6122193.pdfIn PDF document text
- https://xanerenidijuv.weebly.com/uploads/1/3/0/7/130739333/ececf4225f.pdfIn PDF document text
- https://kevavabine.weebly.com/uploads/1/3/1/4/131406582/fuvolikanad.pdfIn PDF document text
- http://kanurapubefuxo.iblogger.org/friendship_day_shayari_images.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4486190/normal_5fcbd933edb89.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4486192/normal_602a101de95b2.pdfIn PDF document text
- http://www.opentle.orgIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://7737876a-f762-42ef-af6f-18b78abacabf.filesusr.com/ugd/9066bd_ce8e860cda0c4d0f8c5a8af8c4389543.pdf?index=trueIn PDF document text
- https://44dd6259-7513-41c7-b2f1-b2b1fc385d2e.filesusr.com/ugd/63022f_fe10605f6721400b8403757679389a73.pdf?index=trueIn PDF document text
- http://jagutebi.epizy.com/adenocarcinoma_renal.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b1e0cc0b-fb9b-440f-aa20-dd6968c8bf35/popoxedurunexedifa.pdfIn PDF document text
- http://dupavumomupu.epizy.com/rigoxixokadiko.pdfIn PDF document text
- http://pimuxexud.epizy.com/answered_prayers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a1d806fb-e9c8-4d1a-95c3-2329fc14dafa/canon_mx922_cannot_connect_to_wifi.pdfIn PDF document text
- http://minifuduredejo.rf.gd/bible_english_standard_version.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ceb4e9ff-a4e7-4414-aa28-2a96429590c5/edexcel_salters_a_level_biology_past_papers.pdfIn PDF document text
- https://4123e755-5e7e-4fb8-b167-49ba90d37259.filesusr.com/ugd/fd3290_a94f9f742f2f447e98754a3842d60735.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a3d003b3-ff33-4ee2-bcd0-b4bd786088df/saduve.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off0001039b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1039B | 14420 bytes |
SHA-256: 23d634db467c39ee7652ec44259542736d1c5044b6fed467e20061d1a9552cb4 |
|||
font_00_sfnt_off0000f14e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF14E | 5424 bytes |
SHA-256: e6ad7536eebc52397c7f41588649f82c037cc35340290490252b331c7670ce5c |
|||
font_02_sfnt_off00012bd0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12BD0 | 10504 bytes |
SHA-256: 1c54d41f933bf75be751d28e5f01aae007de61fb1edd29b411e5fe0a506ef987 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.