MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by multiple heuristics, including ML and ClamAV, indicating malicious content. It contains a large number of embedded URLs, many pointing to disposable domains, suggesting a phishing or malware distribution campaign. The presence of PDF_URI and PDF_SEO_DISPOSABLE_LINK_FARM heuristics strongly supports this attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 0.9950
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://botokaw.ru/wix?keyword=hitman+2+expansion+trophy+guide PDF link annotation
- http://donbetosstreettacos.com/strange_deep_sea_creatures_documentarynedow.pdfIn PDF document text
- http://maxirem.mygamesonline.org/what_size_is_a_mini_shake_at_sonic.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4452154/normal_603a22f8b7406.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382643/normal_6027efadea7d4.pdfIn PDF document text
- http://helpcopyright-service.com/siroputopiloxuzjutbd.pdfIn PDF document text
- http://limons.space/golems_clash_of_clansogjhb.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4426066/normal_5feafdec7feb9.pdfIn PDF document text
- http://zujadise.scienceontheweb.net/kibopudimusajaxiton.pdfIn PDF document text
- http://unlockdeals.shop/navogixewajacnssp.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4447465/normal_602231a94dd13.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4464995/normal_5fe8addedf442.pdfIn PDF document text
- http://tetoxukipim.getenjoyment.net/stanley_battery_charger_says_flo.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4499629/normal_6007b237b74a6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476437/normal_5ff2d2f4934b7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425515/normal_6021a4cbc6059.pdfIn PDF document text
- http://fit-italy.space/48657345493km6yg.pdfIn PDF document text
- http://wumomotetidofe.getenjoyment.net/skyrim_how_to_get_fortify_smithing_enchantment.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420748/normal_60132729de495.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/04243cd7-20c3-485b-95c2-e28f673efd94/fikabiladazakis.pdfIn PDF document text
- https://01ff271a-2d66-4e22-ac0f-a796646d2f56.filesusr.com/ugd/8d93e9_48aa3d16dac742dfb2e0154c29b13839.pdf?index=trueIn PDF document text
- https://60659a61-a27b-47ea-8eac-a81775c62269.filesusr.com/ugd/7a7fb1_481900325ad94e068ecc7bc6e60ad12b.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/93e46dea-aa3e-4140-87a0-a647b2c0cb94/skyworth_tv_review_ph.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/de6bce24-51a6-4530-887b-1449298c9d67/what_is_religious_intolerance_in_india.pdfIn PDF document text
- https://e0220c8c-c322-4c33-af83-7c5b0fe00b66.filesusr.com/ugd/a771bd_3599a145667a454e9d5ae7a2714d629f.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/3aa5b1fe-f64b-480b-af25-856995dadae0/mr._coffee_delay_timer_instructions.pdfIn PDF document text
- https://29474179-7c7c-44ae-84e0-3c37792f2e25.filesusr.com/ugd/7f817d_1dcdffc818f54ba1822524f777f92df8.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/546d1400-58ab-4489-9038-7c3eef7fad6a/nissan_80_forklift_parts_manual.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f3ae.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3AE | 5488 bytes |
SHA-256: b00c3288a342e431bb15a7dcbeed2e2728e7f80954f1ccf9d6c9a63ce700e9fb |
|||
font_01_sfnt_off00010627.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10627 | 10472 bytes |
SHA-256: 74b901b5f663941e983acf999fb0016a7b4c297012d89ddc1d356b3fe7b766c5 |
|||
font_02_sfnt_off000129ff.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x129FF | 4324 bytes |
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.