MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains a large number of external links, indicating it is likely part of a link farm or phishing campaign. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing or SEO manipulation attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/strik?utm_term=how+to+learn+grammar+faster PDF link annotation
- http://bestrongbyg.com/how_to_lose_weight_1000_calories_a_day6ssh2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418570/normal_6014582bcf7d6.pdfIn PDF document text
- http://cmbmarketing.agency/473287615673lixs.pdfIn PDF document text
- http://sexedate69.site/charlie_and_the_chocolate_factory_movie_review_wikipediawlqzo.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4385009/normal_5ffddf9030018.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4421783/normal_6069450c88fd8.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/3f4e4908-fff4-4b09-b3df-a2027e783a6f/42772591488.pdfIn PDF document text
- https://a35aa970-3e4e-4c20-be1f-53d10001bce9.filesusr.com/ugd/af4e73_1a026dfb53534b988a4a73141cfd4d14.pdf?index=trueIn PDF document text
- https://ddb1515c-011f-4d6c-9a6c-b305a2039a85.filesusr.com/ugd/477ac5_59cfba1bc63c4b8387ed591e2f0ba3bf.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/158c83d8-cb87-4e80-9abe-853c4462d44c/how_to_reset_casio_pcr-t2100_cash_register.pdfIn PDF document text
- https://5c09c65f-4728-49e3-9562-8692e696fc4f.filesusr.com/ugd/32acb1_191b89fbbab54c13b6e778569ae1048a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/75edac6c-e426-4d6e-a690-a20090bf7af7/resmed_s9_clinician_manual.pdfIn PDF document text
- https://0feddc0e-03bc-46a3-a741-45303deff239.filesusr.com/ugd/6ea6a2_ac1a78dbd4164c7591e63a559620f33e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/07dbe74e-fb8a-4791-8a5a-4a9edc736495/tevupifu.pdfIn PDF document text
- https://510b81f6-be4e-4e40-9acf-3f60af495837.filesusr.com/ugd/5f226b_12d849c3868d41dca778f49e24529dc9.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/576049fa-a95b-4c09-bfc2-4af243afbb8b/psychic_self_defense_dion_fortune.pdfIn PDF document text
- https://3175e58c-9db9-4d87-bcb9-15e03531d93d.filesusr.com/ugd/c93210_88eee52b6d42476993de4619cc31e2e4.pdf?index=trueIn PDF document text
- https://0524119b-9543-44d4-a9c1-6a2a85ae2681.filesusr.com/ugd/b12506_65196baa646b4804bd403f44f7b363f7.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/bb9787cc-d6ee-4c52-b76d-af20a450e8f3/zowanik.pdfIn PDF document text
- https://7ec9ed57-df89-401a-953b-45744c150cee.filesusr.com/ugd/6e3131_017a986dc8b44f57bffffd6d0faed364.pdf?index=trueIn PDF document text
- https://f3b8d348-8566-49c9-a9f8-a2c3b9e1bc8e.filesusr.com/ugd/f1c748_0511c67637884f04b37a52438c3e84ea.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f98f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF98F | 5140 bytes |
SHA-256: 13b76d0f1e343cd50448e8f03211218625bf8d3a10662aa6e8459ebef7b87784 |
|||
font_01_sfnt_off00010b0b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10B0B | 10736 bytes |
SHA-256: 8b63f7b56bb3f9d9010782c7a68997629a924049f31116aaca5bd12746829dd6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.