MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, many hosted on disposable domains, suggesting a link farm or phishing operation. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URLs, such as 'https://golowaki.ru/123?utm_term=4k+video+er+apk+latest+version', are likely part of a lure to direct users to malicious content or phishing sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://golowaki.ru/123?utm_term=4k+video+er+apk+latest+version
- https://zuwuloju.weebly.com/uploads/1/3/2/6/132681456/7127660.pdf
- https://dupigonaw.weebly.com/uploads/1/3/5/2/135297060/vufugatezexan.pdf
- https://juloxiwam.weebly.com/uploads/1/3/5/9/135967800/197fab20b72.pdf
- https://jaxipalat.weebly.com/uploads/1/3/4/7/134746428/jonaj-burisotono-bufijazev-ribawutasu.pdf
- https://durajonuz.weebly.com/uploads/1/3/1/3/131383269/jadalatik_tagegusol.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/48df6fd5-f824-48c9-b72f-91c998ec99da/it_infrastructure_engineer_interview_questions_and_answers.pdf
- https://be8f41f0-9ddd-434d-ab6d-aa755a40b80d.filesusr.com/ugd/726d9c_acff71f5894245ad98b1f4490622c83a.pdf?index=true
- https://7b4e975e-109f-4397-a679-93e438ff1453.filesusr.com/ugd/c33f71_57899c8110a249098130d3f0084b9829.pdf?index=true
- https://9e1b5e4e-b4ab-405b-8fdf-b3b6d7b19c28.filesusr.com/ugd/94ea38_14365b517f93417889e656589ab2573d.pdf?index=true
- https://77a48bbd-706a-45f8-a225-ac1cc02029d7.filesusr.com/ugd/3be48b_5745669a67374358885d25164851bd37.pdf?index=true
- https://52431b39-7396-4b0c-bcaf-ab72d449a1bf.filesusr.com/ugd/f8cef3_2cad67ca04d04fab80df4e79faf322c0.pdf?index=true
- https://1437f3f1-f978-4e1b-9120-555090070881.filesusr.com/ugd/d4ef56_a785231822c749939f249a20bb313f2e.pdf?index=true
- https://uploads.strikinglycdn.com/files/dc4a8179-d3e6-409a-95fb-a36ec8c88736/how_to_use_compleat_lexical_tutor.pdf
- https://s3.amazonaws.com/megodipewukitoj/48838743443.pdf
- https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_8c9547ace5ee427c83ba816309be80b3.pdf?index=true
- https://eb40363d-1d1f-4170-a897-f23f0f433116.filesusr.com/ugd/2a1429_9749844b57a04c0eae9e6aeda443e1fe.pdf?index=true
- https://459ec6dd-5b69-4322-a182-74abbfaa0e48.filesusr.com/ugd/221eaa_293029d4854d499994f9977c52b9dcb9.pdf?index=true
- https://f3c4034a-4a94-4c47-b6c5-0445626d7bf8.filesusr.com/ugd/655f09_f6667fa6e19040a1903e4b5f5fd8d12f.pdf?index=true
- https://26bfc7ce-baa4-43a1-9280-72312523cbd3.filesusr.com/ugd/5af86b_0dc017f10f0644ccb7b7701d0f26309d.pdf?index=true
- https://s3.amazonaws.com/tazopaju/72522159570.pdf
- https://s3.amazonaws.com/fewifuwu/multiple_integrals_cheat_sheet.pdf
- https://a146b927-ed54-472d-b3a8-6b137e313b92.filesusr.com/ugd/4d400c_ce67224018354d18813cd8844575e634.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ee91.bin7722d5b678728af4a3d12b8e525dce8b2f7ded53f326e7d14ea0689a35c9f70a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEE91 | 5684 bytes |
font_01_sfnt_off00010268.bin98092970a4950cfb2110946401bdd6e6d82ddbb9be9b061a0c3f86a4b2c5a729 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10268 | 5072 bytes |
font_02_sfnt_off000113b8.bin0df9832cfc5af80b801f03965aa32ffa143350b02011ec55e095d3f91a351c64 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x113B8 | 2012 bytes |
font_03_sfnt_off00011cee.binc286f7801a0a111a52b134f2d39014f172986f71263e9f96d7b76df2144e0835 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11CEE | 13032 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.