MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded URLs, with a significant portion pointing to disposable hosting and acting as a link farm, suggesting a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded links are indicative of a lure to download further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://bologen.ru/wix?keyword=cbap+%252F+ccba+certified+business+analysis+study+guide PDF link annotation
- http://mastera-saydinga.ru/netgear_wifi_extender_3700_setup3x9el.pdfIn PDF document text
- http://wonnaturila.space/project_management_institute_logo_change7zwev.pdfIn PDF document text
- http://mitisavad.getenjoyment.net/30021330420.pdfIn PDF document text
- http://raisinsapp.pro/que_tipo_de_sistema_operativo_es_linuxy4c7m.pdfIn PDF document text
- http://vsedlyatebya.xyz/tp_link_av500_nano_powerline_adapter_manuallfyre.pdfIn PDF document text
- http://gagivukamuw.getenjoyment.net/how_to_use_proctor_silex_10_cup_coffee_maker.pdfIn PDF document text
- http://pc-remont.website/79391882404h3jys.pdfIn PDF document text
- http://patajafurep.mywebcommunity.org/56370935097.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/d884bd6c-6137-441f-baae-1627f65b3557/mds_3.0_rai_manual_chapter_4.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c33eaf05-f28c-4926-970e-d9baf5f99ac5/19517334020.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/94e3db3c-2e42-4c60-b8c4-de148e20bcde/sobijafabeputazepuj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ecc60212-88b9-4cc1-9d24-9cd78edb1e8f/lexokabimezuvijorofav.pdfIn PDF document text
- http://bidusibebawuz.onlinewebshop.net/lodemodexoner.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c46b8481-ecbf-44fb-8bb1-d9d4052d1006/46201914385.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/73a397d3-6bba-4c67-9ba0-44ccbaf6109e/2004_r6_value.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/406b0d78-a1af-40b4-872c-062e6326cf50/are_the_harry_potter_movies_as_good_as_the_books.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b7736799-aed0-43af-90a7-e224042fd290/zowimatat.pdfIn PDF document text
- https://s3.amazonaws.com/vapite/zefisaboxi.pdfIn PDF document text
- http://valupakukav.myartsonline.com/89141548080.pdfIn PDF document text
- https://s3.amazonaws.com/divelatoxa/what_is_the_main_message_of_who_moved_my_cheese.pdfIn PDF document text
- https://s3.amazonaws.com/dojonuta/holcim_philippines_annual_report_2017.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ed6f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xED6F | 5504 bytes |
SHA-256: 41d29d5124c0c4c14c1c04586240c1253738f062707de52607f854e83f3aa4a9 |
|||
font_01_sfnt_off0001003c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1003C | 11780 bytes |
SHA-256: 9233e0a6794b8ac8c327079f1fb8300fda4e59c86731836d0019099d442474e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.