MALICIOUS
266
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
T1059.007 JavaScript
This PDF document is identified as malicious by multiple heuristics and a machine learning classifier. It functions as a lure, directing users to install browser extensions or updates, a common tactic for credential theft or malware installation. The document also contains a link farm with numerous external URLs, some of which are hosted on disposable domains, suggesting an attempt to distribute malicious content or engage in SEO manipulation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/wix?keyword=wwhotmail.com+inciar+sesion PDF link annotation
- https://zujituxo.weebly.com/uploads/1/3/2/6/132681889/mafegura.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4496586/normal_5ffb05a320824.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4498376/normal_5fe607d922031.pdfIn PDF document text
- https://wejowijugoli.weebly.com/uploads/1/3/1/3/131383775/2ff2a.pdfIn PDF document text
- https://miruvogix.weebly.com/uploads/1/3/1/4/131408245/1443275.pdfIn PDF document text
- https://zulitaxovali.weebly.com/uploads/1/3/5/3/135351491/dojizarot-nujufibul-baxotepovu-puxufakovutod.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376857/normal_5fe9403f717cb.pdfIn PDF document text
- https://xoxebugifujame.weebly.com/uploads/1/3/4/4/134478015/jazexuzotenaman.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/39c3f9ad-25db-4a95-85fe-e9309579d08a/53147436304.pdfIn PDF document text
- https://83f018a0-8e49-44f0-b57e-805e464a5f06.filesusr.com/ugd/10a4aa_b1f176bc3c0c4f92b08afbae4b2dd0d9.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/739627ca-c778-49fa-a899-6d7bb3833f82/xilip.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9c49cff2-b3ab-4175-854b-1ea4919c981f/how_to_fix_diaper_genie_elite.pdfIn PDF document text
- https://6440a9f6-5e82-4153-977b-4ffe9374ec4a.filesusr.com/ugd/7182f3_59434984aa754f33b9711eb04a467e08.pdf?index=trueIn PDF document text
- https://34570882-574e-4d25-8c0e-d8b9b6c2967f.filesusr.com/ugd/cb2bed_d4fa977dada44f019f2d3413ae9678e4.pdf?index=trueIn PDF document text
- http://juvegebufu.epizy.com/annelids_mod_apk_unlocked.pdfIn PDF document text
- https://dbb1fad9-9c05-458f-9e32-bc0b7f65d7ec.filesusr.com/ugd/451461_785065b5bc0e40baa45109a0f071ce06.pdf?index=trueIn PDF document text
- http://rajixubododafu.epizy.com/cabinet_manual_rwanda.pdfIn PDF document text
- https://1c019786-7048-4615-837a-ae53f087c4ae.filesusr.com/ugd/8b4172_22ae3951bfc54fc7be61b9d4bc9da899.pdf?index=trueIn PDF document text
- https://69669160-cc20-42a3-bfef-e1e1fd1f8163.filesusr.com/ugd/8094a4_785adcd57523415a8a8aa9730812d8e4.pdf?index=trueIn PDF document text
- https://d85b1738-a471-4043-b59e-116b2bb794a3.filesusr.com/ugd/97927e_6f82c8c57c3443259e16c22c8b2f791f.pdf?index=trueIn PDF document text
- https://1d942ef5-affb-47d8-8f99-70a3d187b733.filesusr.com/ugd/3283b0_f39bb549835340afa2cc98b086589614.pdf?index=trueIn PDF document text
- https://4b523d79-2bc6-404f-8e52-0acae4d2cb03.filesusr.com/ugd/fe1b41_242db41b70df4c41837526e88c049b76.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/ca0f254b-7f27-49e3-9af1-fa1ed3500403/66187799400.pdfIn PDF document text
- https://1628ddcf-e301-416d-9649-d9339b85441b.filesusr.com/ugd/0b1079_61ac9800aa9c40c3b0adfd254e7b90a0.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f946.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF946 | 5176 bytes |
SHA-256: de0393a68e3c64cbdaf178c361757d0a8d67a71522b22a6d5b39cbec054dbfe0 |
|||
font_01_sfnt_off00010abf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10ABF | 1804 bytes |
SHA-256: 559e339ebb012a4711299e9f436f2accabb026881398d3942dea161b76ad44a3 |
|||
font_02_sfnt_off0001139d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1139D | 11912 bytes |
SHA-256: 547f76a073fd474d709fceb6587f4becc3b8e470a182a0e37b9ce90a36e8381c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.