MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm. One prominent URL, 'https://gimoguvi.ru/strik?utm_term=diccionario+larousse+gratis+en+espa%25C3%25B1ol', is presented in a way that suggests a lure for free dictionary content. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan. The presence of embedded URLs and the link farm heuristic strongly indicate a malicious intent to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gimoguvi.ru/strik?utm_term=diccionario+larousse+gratis+en+espa%25C3%25B1ol PDF link annotation
- https://cdn-cms.f-static.net/uploads/4405414/normal_6045f4800f7d0.pdfIn PDF document text
- https://jonapofa.weebly.com/uploads/1/3/4/6/134699055/899430.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4465128/normal_606d62f24e66a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450890/normal_6068f1644d8d4.pdfIn PDF document text
- https://kefuluseze.weebly.com/uploads/1/3/1/3/131398598/dccf6.pdfIn PDF document text
- https://fuwewarudizikip.weebly.com/uploads/1/3/4/6/134644733/todabukiwiwoka-xofelibenumesi-zufoboje.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374189/normal_605f8cc89065f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4468253/normal_6020fb9e7f5ef.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481510/normal_60305f9be02ad.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4403687/normal_5fd5f020687aa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366652/normal_602b64bce48f4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4502567/normal_6013a9dde4c7e.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/wegemebufojafak/director_of_service_job_description.pdfIn PDF document text
- https://s3.amazonaws.com/safenalavojuwu/belajar_photoshop.pdfIn PDF document text
- https://s3.amazonaws.com/ladojenefe/4_types_of_sentences_worksheets_3rd_grade.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c4eaab4e-de1d-4b22-a4ce-8045a0b3c099/fifty_shades_of_grey_2012_watch_online_dailymotion.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6eb3ebd2-cc87-48d3-bfd3-df96d96ea097/utilitech_pro_ul-ac-pump_parts.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/98a6c96a-0bdf-44c8-a903-58a29bce2312/can_you_recycle_books_calgary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aa4d9b9a-fdf7-4113-923f-5a6faeb9b165/captain_underpants_the_first_epic_movie_cast_professor_poopypants.pdfIn PDF document text
- https://s3.amazonaws.com/luramamelolem/lekiditagakevesepumob.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2095dc5f-b524-4d19-8a5d-04ab9ec7f9d7/entry_level_machine_learning_jobs_remote.pdfIn PDF document text
- https://s3.amazonaws.com/punurum/modine_hot_dawg_installation_kit.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001018d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1018D | 5312 bytes |
SHA-256: a2dc0065568371009a37b0129b97b23c4732641bc65e149f81722849bbc0554b |
|||
font_01_sfnt_off00011375.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11375 | 10996 bytes |
SHA-256: 3c8df65d3bc956855730688c7b31e32b7f0d81e00f26a2e186177db396f8a3bc |
|||
font_02_sfnt_off0001394e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1394E | 16672 bytes |
SHA-256: d063cee071e3d026675df1c6797964ecd233f2b87e7beaa88445a1ad1272d8e0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.