MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, with a critical heuristic identifying it as a link farm designed to distribute other PDFs. One prominent URL, 'https://crewmak.ru/pbw?utm_term=free+employee+shift+schedule+template+for+excel', suggests a lure related to employment templates. ClamAV detected this file as 'Pdf.Phishing.Trojan', indicating a malicious intent. While no scripts were directly extracted, the PDF structure and link farm behavior are indicative of a phishing or malware distribution campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.6788
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crewmak.ru/pbw?utm_term=free+employee+shift+schedule+template+for+excel
- https://vixalabalu.weebly.com/uploads/1/3/4/3/134396729/792398.pdf
- https://cdn-cms.f-static.net/uploads/4502268/normal_60b8af426443c.pdf
- https://static.s123-cdn-static.com/uploads/4449965/normal_5fdf2c61422e0.pdf
- https://cdn-cms.f-static.net/uploads/4443624/normal_5fe7bbe53945f.pdf
- https://static.s123-cdn-static.com/uploads/4476943/normal_5ff0bf55a8bad.pdf
- https://static.s123-cdn-static.com/uploads/4454973/normal_5fcb48cb01c85.pdf
- https://static.s123-cdn-static.com/uploads/4390684/normal_5ff326b822c27.pdf
- https://kolenogu.weebly.com/uploads/1/3/1/8/131871799/8559a6615a41d.pdf
- https://static.s123-cdn-static.com/uploads/4372104/normal_5fdf26b6c8b16.pdf
- https://static.s123-cdn-static.com/uploads/4414176/normal_6008ddcb850e0.pdf
- https://static.s123-cdn-static.com/uploads/4366047/normal_5fca678837b0e.pdf
- https://cdn-cms.f-static.net/uploads/4379974/normal_605f73c0e1bcd.pdf
- https://cdn-cms.f-static.net/uploads/4407318/normal_606aa17f7bebc.pdf
- https://static.s123-cdn-static.com/uploads/4472503/normal_5ff0151b02d25.pdf
- https://voderixata.weebly.com/uploads/1/3/4/2/134266977/5fec2ceccff26b2.pdf
- https://static.s123-cdn-static.com/uploads/4369920/normal_5ff0cac7863ea.pdf
- https://static.s123-cdn-static.com/uploads/4402519/normal_5fc9553019d11.pdf
- https://rurusoweloxefug.weebly.com/uploads/1/3/3/9/133989150/a6438e73c.pdf
- https://cdn-cms.f-static.net/uploads/4409395/normal_60666327f180b.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://botinuba.pbworks.com/f/zofiduludel.pdf
- http://lekuzax.pbworks.com/w/file/fetch/144427728/53814893845.pdf
- http://wixugigir.pbworks.com/f/fumaleginonomusikumom.pdf
- http://pupowivala.pbworks.com/f/pivisowu.pdf
- http://vawijoj.pbworks.com/w/file/fetch/144473211/sap_successfactors_employee_central_training_materials.pdf
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000edf1.bin46ee035dcd1d276ae4b221b74d8875241ac19380561d379da019170b5c07e1f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEDF1 | 5520 bytes |
font_01_sfnt_off00010099.bin912a34cb781bb201c9e034a0f89cfb7bc065be4c96e4186238bfe2365eefda5d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10099 | 10384 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.