MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a large number of external links, many hosted on disposable domains, indicating a link farm or SEO manipulation tactic. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external URIs suggests a potential for distributing further malicious content or redirecting users to phishing sites. No scripts were extracted, limiting the analysis of direct execution vectors.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/strik?utm_term=how+to+make+3d+face+mask+pattern PDF link annotation
- https://cdn.sqhk.co/kopilixa/4hojbrq/82579654714.pdfIn PDF document text
- https://cdn.sqhk.co/taxodisilif/dgfIUhe/top_sports_topics_today.pdfIn PDF document text
- https://cdn.sqhk.co/vujaderaz/mibgidk/51798042919.pdfIn PDF document text
- http://boldly-grow.com/nail_shop_open_in_jackson_msjws1c.pdfIn PDF document text
- https://cdn.sqhk.co/jesotipo/jiIbqPG/72987798422.pdfIn PDF document text
- http://vewosanexifusip.22web.org/richard_rorty_quotes.pdfIn PDF document text
- http://trokot-roznica.xyz/detective_conan_movie_online1k40g.pdfIn PDF document text
- http://xuvalikamug.22web.org/how_do_you_treat_childhood_trauma.pdfIn PDF document text
- https://cdn.sqhk.co/pobopuwubox/c5Licgj/oregon_ducks_basketball_roster_2020-_21.pdfIn PDF document text
- http://alkim.xyz/8693379663913ayb.pdfIn PDF document text
- https://cdn.sqhk.co/nasubivapu/pii8ijB/lightroom_free_presets_2020.pdfIn PDF document text
- https://cdn.sqhk.co/tatolodam/hi0gjar/68913440177.pdfIn PDF document text
- https://cdn.sqhk.co/puburikob/sXijibd/41435400782.pdfIn PDF document text
- http://alifan.store/plantronics_backbeat_go_2_headset_manual3q6cr.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://pisasegobure.epizy.com/gmp_guidelines_for_sterile_products_ppt.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/657b81bc-8546-44a1-a58a-3b1978142923/kesuxofupekigifirizewev.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e15977d9-29ed-4204-a5e9-f779d8e2aa49/what_is_the_primary_purpose_of_a_screen_grid_in_a_vacuum_tube.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2dc09483-0f68-42b1-9c88-041079eb8e75/what_happens_when_you_ask_alexa_to_fart.pdfIn PDF document text
- https://0793e221-2e7e-4176-aae8-4ff4b75d8f7a.filesusr.com/ugd/64bd79_95780a451f204d1cb30a759cf4bdcfa3.pdf?index=trueIn PDF document text
- https://e301b21f-f707-426c-a094-6199d4b1a2d6.filesusr.com/ugd/f65518_ad22b134fbd8478dbb68142ec3b762a1.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/09c6f4a8-7f30-4cfc-b3bd-8aa7091e7359/can_you_watch_past_streams_on_youtube.pdfIn PDF document text
- https://d21da297-2d1c-4020-882f-059d99c29dc9.filesusr.com/ugd/3724a2_82e034dc91bd4b61951e665e59f6eed9.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/36fc667a-cd71-47c3-ae65-febd324e5f2e/divarakenotamiruparojew.pdfIn PDF document text
- https://5e7fdb44-65a6-4d88-9b36-b69c04d36e08.filesusr.com/ugd/b547b4_44d5f1c82b7b45e691847e202676d2ee.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fca2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFCA2 | 5548 bytes |
SHA-256: 1c8162984577940fb1742b5ffb091632d1a4cf6e166965599c154ec88b80f88f |
|||
font_01_sfnt_off00010f80.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10F80 | 10788 bytes |
SHA-256: d47d9fd32d2807a8be2f325831a0e28c0d4e8aa35de0735767b17fe06203a0e0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.