MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many pointing to disposable domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to redirect users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://queure.ru/pbw?utm_term=maisto+tech+rc+rock+crawler+pro+series+4ws PDF link annotation
- https://wivapofeselaf.weebly.com/uploads/1/3/5/3/135317026/puxuk.pdfIn PDF document text
- https://sonujeti.weebly.com/uploads/1/3/0/9/130969686/3bdcc.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/91ff04fa-d3d4-493c-b590-52db52324920/wukipobizozawimog.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d1e9316a-266d-4434-b1a4-b5c387b686c8/ac_circuit_analysis_practice_problems.pdfIn PDF document text
- http://lekipirunezi.pbworks.com/w/file/fetch/144415035/97593780156.pdfIn PDF document text
- http://pukagij.pbworks.com/w/file/fetch/144560730/72528118076.pdfIn PDF document text
- http://zeladejan.pbworks.com/f/fasusaji.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/be6ab7b5-ce8f-4632-911d-33539d6cfd8c/minebevowop.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd4a0884-a39f-4b41-9903-625c778e6734/best_intermediate_electric_guitar_songs_to_learn.pdfIn PDF document text
- http://dipoziw.pbworks.com/f/longman_preparation_course_for_the_toefl_test_ibt_second_edition_download.pdfIn PDF document text
- http://nosiravuga.pbworks.com/f/pobalum.pdfIn PDF document text
- http://ruwomodanom.pbworks.com/f/53996974172.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/52ae95c7-decf-4a5b-baac-3a0b9e93480e/dosepafedes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c93897b5-8d71-4264-890b-df3292bd77ed/19953854927.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4dfda0ed-762a-4f61-8f99-4cdb69246a60/the_date_of_record_is_the_date_that_directors_vote_to_pay_a_cash_dividend_to_shareholders.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5e211bcd-8ae2-42ba-b1bb-a3996d4ef428/modelo_de_memorandum_de_llamada_de_atencion_por_tardanza_peru.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/528e8da3-8827-4929-8c03-5c0c6fe3b841/salo_120_days_of_sodom_movie_online.pdfIn PDF document text
- http://vafobotigef.pbworks.com/f/molonaj.pdfIn PDF document text
- http://juvudibip.pbworks.com/f/how_long_does_ophthalmic_shingles_last.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c9d3ac08-d761-4f60-975f-be64c1417101/how_to_print_on_vinyl_sticker_paper.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0fe96012-66df-4206-837d-88d00dc66619/emergency_severity_index_esi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fef597c4-a24e-4682-9e7c-65c4a43e81df/tinadizuraruzutegoti.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d88c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD88C | 5272 bytes |
SHA-256: b9be8e1c945d0f1ba03e92e2c93aeb80f16f46e7badf8699bfe20f21f7d375ee |
|||
font_01_sfnt_off0000ea93.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEA93 | 12448 bytes |
SHA-256: bdcb1ab943e3334fd056082de8592f2b77801f637896bc69be81892977eceb2b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.