MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, many pointing to disposable domains, suggesting a link farm or phishing operation. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing lure designed to redirect users to malicious sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/123?utm_term=king+bed+platform+frame+with+storage PDF link annotation
- https://nuvomananakoleg.weebly.com/uploads/1/3/1/4/131453817/4897097.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4500667/normal_5ff16d6bc9ce9.pdfIn PDF document text
- https://xevibobi.weebly.com/uploads/1/3/4/6/134683071/3787429.pdfIn PDF document text
- https://xidazujagavoza.weebly.com/uploads/1/3/1/4/131453269/4527954.pdfIn PDF document text
- https://kavisovilige.weebly.com/uploads/1/3/5/3/135308643/2532156.pdfIn PDF document text
- https://dipilewojariwu.weebly.com/uploads/1/3/2/8/132814651/dd5ce6e272.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4402289/normal_5fca2024cc1b4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/7bf5c77d-11d3-422d-b025-9ca614a1f429/debukasuxomuwejirafex.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2971aeb3-fa28-4e30-964b-1cf3d1bfbb82/blackmagic_design_intensity_pro_4k_installation.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2d9f8390-74f0-4211-bd2c-172965d12bb4/65334470497.pdfIn PDF document text
- https://ad323f3e-245e-4e3c-8b16-de91fefec063.filesusr.com/ugd/5ea691_d44ce40bb1624743a98313b9f9260170.pdf?index=trueIn PDF document text
- http://defezinuxi.rf.gd/32681419645.pdfIn PDF document text
- http://fogobesu.rf.gd/67578335106.pdfIn PDF document text
- https://769966b8-4adc-437e-bba8-f198cf6e171b.filesusr.com/ugd/41a0b6_0bb37a36c22647fb968bb20b8c49dff7.pdf?index=trueIn PDF document text
- http://wozadubokurego.epizy.com/29772793809.pdfIn PDF document text
- https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_32f2c32ea0a542dc9b6248425af47aac.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6fa1852e-4e34-4dda-beda-5a2cbf3a51c1/22263211010.pdfIn PDF document text
- http://bumumewevebav.epizy.com/alphabetical_words_worksheet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c69ef3ad-7d60-42d4-bd64-9daa853b6b88/93693267658.pdfIn PDF document text
- https://a62e46b8-d933-4087-892c-e5439cec6991.filesusr.com/ugd/e9cba9_32b0c01454c343b4a8369a8c6ec391ea.pdf?index=trueIn PDF document text
- http://sosunakefimafo.rf.gd/777_qabalistic_writings_aleister_crowley.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f536.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF536 | 5444 bytes |
SHA-256: f5f0ba12086ab2fdc1d80de09c3fa287d3ab0f6702ba47cbe8c9039f76a4c021 |
|||
font_01_sfnt_off00010799.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10799 | 10544 bytes |
SHA-256: 09a048932590122e1cf4b8a8d8c29a0658f92ec3d7ba1cf1f161c5a7d4110041 |
|||
font_02_sfnt_off00012b6b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12B6B | 4324 bytes |
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.