MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which are obfuscated or lead to potentially malicious domains, as indicated by the PDF_URI and PDF_SEO_LINK_FARM heuristics. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the presence of numerous external links points towards a phishing or malware distribution scheme, likely initiated via spearphishing.
Machine Learning
- Nyx PDF Classifier malicious score 0.9518
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://druttle.ru/aws?utm_term=ancillary+testing+reports PDF link annotation
- https://cdn-cms.f-static.net/uploads/4403127/normal_601af5b43120d.pdfIn PDF document text
- https://cdn.sqhk.co/sejiragidu/eiiMGhg/boat_wallpaper_for_mobile_black.pdfIn PDF document text
- https://cdn.sqhk.co/xasakeza/GgiK2hc/tap_titans_2_build_guide_2020.pdfIn PDF document text
- http://narosisebono.22web.org/jikosedak.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4485172/normal_6004ca981ea48.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417040/normal_5fe660fe02156.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365583/normal_5fd8f562c1d66.pdfIn PDF document text
- https://cdn.sqhk.co/wejuladuke/jcTsieG/29076926842.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4392474/normal_6005904e7f5d1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416299/normal_601f0bcde05d6.pdfIn PDF document text
- https://dinidoleto.weebly.com/uploads/1/3/0/9/130969871/61fccab4e59d48d.pdfIn PDF document text
- https://cdn.sqhk.co/dasupejej/hiGDFU0/best_customer_service_number_for_xfinity.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/tanikanaw/stress_fracture_medial_cuneiform_icd_10.pdfIn PDF document text
- https://s3.amazonaws.com/gazivemon/risimunitegopani.pdfIn PDF document text
- https://s3.amazonaws.com/sirilagewuga/exide_pakistan_annual_report_2018.pdfIn PDF document text
- https://s3.amazonaws.com/nemafu/wojotozogonow.pdfIn PDF document text
- https://s3.amazonaws.com/tezude/sona_babu_laya_song.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012f74.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12F74 | 4980 bytes |
SHA-256: f6b9278025c5c65fe6ac6cc53eee85524ae04130b71e13d5770843454bb0201c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.