MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jumiwimov.ru/wix?keyword=the+outsiders+answers+chapter+3 PDF link annotation
- http://50offstore.info/homedics_cool_mist_ultrasonic_humidifier_how_to_cleans3hf8.pdfIn PDF document text
- http://gooddevice-online.com/how_to_create_recurring_journal_entry_in_quickbooks_online2rt0i.pdfIn PDF document text
- http://oneplusonemain.xyz/how_do_you_win_the_lottery_every_timegzvy0.pdfIn PDF document text
- http://interbank.link/55606713233h7ehq.pdfIn PDF document text
- http://pelistens.xyz/sdgs_in_action_film_festival269jk.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/9405429d-8ab2-4dd8-a48d-f36204ebc9ad/spinoza_ethics_part_2_proposition_47.pdfIn PDF document text
- https://1eb42bdc-3da6-4b32-b75f-4382f1721f8e.filesusr.com/ugd/35474d_d5d4fba689df4e749a238a795c99b2a8.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/fb25ff03-6a61-49f2-bca9-ccb437b7a302/honeywell_r7284_hard_lockout.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c4572fb9-d642-412b-8e9f-e10814987443/fotapapol.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8a819245-5742-46b1-8ade-540b1cd31613/surah_al_mulk_download.pdfIn PDF document text
- https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_a3390dd433fe47b6b0672c57dce447b3.pdf?index=trueIn PDF document text
- https://9e77dbea-16d6-438e-9859-4a68c5388828.filesusr.com/ugd/3225da_60b72140ab944036b7d743fa6c959ff6.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/87c9af55-78cb-4400-8e7d-4ec5e8897cae/lojedekaf.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ccd8cb1d-64ed-43c3-b951-6f9e44d8b380/common_mistakes_in_english_book.pdfIn PDF document text
- https://97783159-ced7-426e-9fbd-60d2bb3342fb.filesusr.com/ugd/00058f_040cdd788d2944919793c4d422e9208b.pdf?index=trueIn PDF document text
- https://c03439ef-6557-4199-865e-586791a52b6c.filesusr.com/ugd/6bb4a2_2aaf9bf6dbb94db286fde5cfa609c64d.pdf?index=trueIn PDF document text
- https://d3dd75b0-514a-4dbf-a1f7-973a5b421fb1.filesusr.com/ugd/5b46ec_3bb34ceed5a84e4581655f8377a039a5.pdf?index=trueIn PDF document text
- https://625f08e2-3d8e-45b5-8e8c-b95d001c5c7c.filesusr.com/ugd/d94ae5_78a6b82f5c9c4d40a57b4f5ee687ba34.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/fbe28657-d452-422c-bb6b-09eb71e5eeed/acer_laptop_wont_turn_on_orange_light.pdfIn PDF document text
- https://9cf93ecd-64ee-4ad6-afcc-f350577a7522.filesusr.com/ugd/c4dbd3_061433e3894c4faa9e9e354f2b7af930.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d06561de-434d-4e6a-ac0d-7fc27382aed7/zecharia_sitchin_gratis.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f8bf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF8BF | 5332 bytes |
SHA-256: 22fd8a39a0a56ec63ad82a0c7e7fcd5e0a9c5b74c5c0b0a58da5c20b1dd95a61 |
|||
font_01_sfnt_off00010aed.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10AED | 11156 bytes |
SHA-256: 5ecf28643ea490e9d182479e8a28f60d43137b1864096762acb01500c238ef31 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.