MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating high maliciousness. The document contains a large number of external links, suggesting it is part of a link farm designed to direct users to malicious websites. The embedded URLs, such as https://jacksth.ru/wb?keyword=pretty%20little%20liars%20season%204%20episode%2010, are likely used to disguise the true malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/wb?keyword=pretty%20little%20liars%20season%204%20episode%2010
- https://guparamoribum.weebly.com/uploads/1/3/2/7/132711937/tokepiremev.pdf
- https://losebevaxefot.weebly.com/uploads/1/3/5/3/135347065/6455483.pdf
- http://tamakar.tech/79933371200t16ly.pdf
- https://cdn-cms.f-static.net/uploads/4444114/normal_601b273a79953.pdf
- https://dewajijivixire.weebly.com/uploads/1/3/4/6/134638152/a23553328a.pdf
- https://woxoxuwavi.weebly.com/uploads/1/3/4/6/134689382/gosevuket.pdf
- https://binenivav.weebly.com/uploads/1/3/4/5/134516867/vasigil-natixowa.pdf
- https://cdn-cms.f-static.net/uploads/4381988/normal_600db6e57c1e8.pdf
- https://static.s123-cdn-static.com/uploads/4418575/normal_60074fc44185a.pdf
- https://mabuvolud.weebly.com/uploads/1/3/1/4/131453706/texudowinar.pdf
- https://buzixigadojaw.weebly.com/uploads/1/3/5/3/135316262/6526589.pdf
- https://raguwagoneneza.weebly.com/uploads/1/3/1/3/131384547/8432057.pdf
- https://cdn-cms.f-static.net/uploads/4445337/normal_5fd887a4446d0.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/xasovewipeje/13885509237.pdf
- https://s3.amazonaws.com/sivanira/97037050783.pdf
- https://s3.amazonaws.com/fadedosi/51126650408.pdf
- https://s3.amazonaws.com/regegozumekoza/maridhas_answers_latest.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e0dd.binf264aae48d219765180ade3c8561f32682b811b7497a8d5444d791f8ed2b04c3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE0DD | 5340 bytes |
font_01_sfnt_off0000f324.binfddac907b26af1a0ec925c77e665d20e758a0bca81780994dacac1d9ff5c7ecd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF324 | 10740 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.