MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains a large number of external links, many pointing to disposable domains, suggesting a link farm designed to distribute malware or phish users. The presence of a PHP webshell heuristic indicates a potential for server-side compromise or malicious script execution. While no scripts were directly extracted, the overall structure and heuristics point towards a malicious document intended to redirect users to harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
PHP webshell / backdoor source high WEBSHELL_PHPThe file contains PHP server-side code with the signature of a webshell/backdoor (request input fed to a command/code-exec sink). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/123?utm_term=bollywood+movie+bazaar+full+hd PDF link annotation
- https://cdn.sqhk.co/konosoka/cKslifT/download_apk_3d_cute_cat_live_wallpaper.pdfIn PDF document text
- https://jawimuxuketeg.weebly.com/uploads/1/3/4/7/134763527/jukuferomofo.pdfIn PDF document text
- https://cdn.sqhk.co/vawadawuleja/icsVW8B/vice_news_hbo_last_episode.pdfIn PDF document text
- https://cdn.sqhk.co/kuzetuzame/9dqhob5/download_whack_your_boss_cartoon_land.pdfIn PDF document text
- http://lixorajepidil.mygamesonline.org/what_is_a_battery_float_charger.pdfIn PDF document text
- https://cdn.sqhk.co/kidimezamos/fQjjQie/android_okhttp_post_example.pdfIn PDF document text
- https://cdn.sqhk.co/gafisasiwu/0oAjfjg/38261585575.pdfIn PDF document text
- https://vejazejama.weebly.com/uploads/1/3/1/3/131381369/8197558.pdfIn PDF document text
- https://cdn.sqhk.co/fujotojaxob/diafhiB/swag_video_status_maker_mod_apk_download.pdfIn PDF document text
- https://wexarasi.weebly.com/uploads/1/3/4/3/134351888/4244165.pdfIn PDF document text
- https://cdn.sqhk.co/miloxuso/iicJih1/football_games_2020_ps4.pdfIn PDF document text
- https://tewijudejasivi.weebly.com/uploads/1/3/2/6/132682467/83a7f954.pdfIn PDF document text
- https://sejiganabukuja.weebly.com/uploads/1/3/4/5/134585043/xuginu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/1aad53ef-4f78-4f8a-a8cc-4f077b7a2898/waxejavaverogelurof.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9e020886-9932-40e6-967d-663cf40ddb38/jifuvepivogana.pdfIn PDF document text
- http://bumejefivoxigo.myartsonline.com/how_much_is_david_beckham_worth_in_pounds.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c5499e03-0f4a-427e-ba38-54c79a5e1a78/suketilikazopugavap.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/330c8f1b-b035-476d-bd3f-2cb4170423f1/change_numbers_in_excel_from_arabic_to_english.pdfIn PDF document text
- https://98e80eac-0673-4bf9-a3de-4132461903b3.filesusr.com/ugd/1acd69_2afad8282e1240d7ba566f911fda7190.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/62579a7d-84f3-490c-88e9-fc79177b5c27/how_can_i_contact_paparazzi.pdfIn PDF document text
- http://pupagerirawax.myartsonline.com/can_you_flat_tow_a_dodge_durango_2018.pdfIn PDF document text
- https://411be8f8-4ba1-40b5-9edf-cc4a2c3d5ecc.filesusr.com/ugd/a86d68_2387c59103ed4815ab89f2e922590da9.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f7a1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF7A1 | 5464 bytes |
SHA-256: e1e82fa27a04769b9b1793ab7c2c2cf832b1da455c1a911c2e3a4936483a9dae |
|||
font_01_sfnt_off00010a36.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A36 | 15404 bytes |
SHA-256: 5ec3889e73d52ad5f540ea7e63d768b4995421b95310c09f0735f9eac5213c97 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.