MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains a significant number of external links, many hosted on disposable domains, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and a 'download button' lure further support the conclusion that the document is designed to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://golowaki.ru/123?utm_term=e+sound+phonics+worksheets PDF link annotation
- https://damafurota.weebly.com/uploads/1/3/5/3/135337485/1503809.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4477635/normal_60320456a7e07.pdfIn PDF document text
- https://nelubetif.weebly.com/uploads/1/3/5/3/135322580/9400751.pdfIn PDF document text
- https://gaxopekel.weebly.com/uploads/1/3/0/9/130969853/sulese.pdfIn PDF document text
- https://pigakuri.weebly.com/uploads/1/3/4/6/134684466/fixirerogipak.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4422640/normal_5fd7e49cb7b28.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4378599/normal_5fce5e68ef9bb.pdfIn PDF document text
- https://dubitofux.weebly.com/uploads/1/3/4/4/134458445/119bdb10f26.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4495691/normal_5fd337abf3ed3.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b68e000c-d1fc-4a92-b696-16b7148160ca/2021_toyota_rav4_le_owners_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3ba03fc0-8eb6-444a-9ca4-1db5e08359c2/creative_sound_blaster_z-series_software.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bcf7e7e0-0ec8-48ac-9fac-870a74a0a460/john_deere_mower_blades.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cba27bf6-ebb6-4c42-aa62-e60c591950f2/58292954274.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/718d2753-40ee-4289-95e5-e747f7e351a1/68288914323.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f338ecc2-4c3e-46b9-aee4-429f1930d9c8/hypertonic_hypotonic_and_isotonic_solutions_worksheet.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ee3543ae-89bd-4b93-bda3-11131cd75430/how_to_set_automatic_watch_winder.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/46d4de3b-71f8-44b4-b80a-b4e963eba156/tebevutezojof.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4c270358-c27c-4971-b247-7dae44f98aff/bitosikirur.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/84498ace-719c-4448-80d8-46ef9baf9e29/84479378897.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b58b1c7c-7b57-457a-ab32-261736092179/yard_machine_lawn_mower_20_inch_wont_start.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a646a903-0c24-4096-af73-7cbab351eb7a/90919746908.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f43f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF43F | 5032 bytes |
SHA-256: c39987341d0ddaf5cf6f942d3d476d1ff527029446ad1107f0bd5d82cbac8bf5 |
|||
font_01_sfnt_off0001056f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1056F | 10860 bytes |
SHA-256: 4c70f4a6e06be872ec7dca061a6823484c13a5a663b9cb9e0dd3f0a1363866d8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.