MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, with a primary external URI pointing to 'https://synerhu.ru/pbw?utm_term=your+name+eng+sub+full'. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates the PDF is designed as a link farm on disposable hosting, further supporting a malicious intent. No scripts were extracted, but the presence of external URIs suggests an attempt to redirect the user to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9983
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://synerhu.ru/pbw?utm_term=your+name+eng+sub+full PDF link annotation
- https://cdn-cms.f-static.net/uploads/4425235/normal_6051a9b5ec901.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4414164/normal_5fd3c0ac10a04.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4495849/normal_5fced152bdcad.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4457305/normal_603e187d75182.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4452373/normal_603f60a658e5a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4401716/normal_603fa8a4b81c8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413573/normal_603d97b545ae9.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://pajuxuse.pbworks.com/f/schaums_outline_of_electromagnetics_5th_edition.pdfIn PDF document text
- http://dawanitapix.pbworks.com/w/file/fetch/144952530/13314276495.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/32f7a85a-ab39-46ca-8fc9-75a6670b3d86/how_much_is_adobe_premiere_monthly.pdfIn PDF document text
- http://gaguwufajij.pbworks.com/w/file/fetch/144874782/comrade_in_america_movie_download_with_english_subtitles__500____Low__0.pdfIn PDF document text
- http://gazumadu.pbworks.com/w/file/fetch/144653913/what_are_the_theories_of_aging_that_argue_that_the_bodys_constant.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28fd9dd5-2511-43a9-97bf-fe8056c0fffb/38946309137.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/88a1f31b-07e2-4024-9b81-5e96474d32d7/what_are_the_types_of_preference_shares.pdfIn PDF document text
- http://muzurinugaw.pbworks.com/f/la_crosse_technology_radio_controlled_clock_manual_wwvb.pdfIn PDF document text
- http://sujabuno.pbworks.com/w/file/fetch/144732789/fatiba.pdfIn PDF document text
- http://bawamotijeku.pbworks.com/w/file/fetch/144478374/why_did_peter_say_to_jesus_lord_go_away_from_me.pdfIn PDF document text
- http://sijomirurefi.pbworks.com/w/file/fetch/145018374/fajoderezozo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cc086f5b-3b1c-41ce-ba29-8805b3fa1ed4/how_to_improve_your_competencies.pdfIn PDF document text
- http://gupipax.pbworks.com/w/file/fetch/144897699/gapefitiniril.pdfIn PDF document text
- http://supatibu.pbworks.com/w/file/fetch/144418731/11139816708.pdfIn PDF document text
- http://rasetewi.pbworks.com/f/how_to_communicate_effectively_with_your_wife.pdfIn PDF document text
- http://lomubel.pbworks.com/f/walking_in_a_winter_wonderland_piano_sheet_music.pdfIn PDF document text
- http://mawasuwov.pbworks.com/f/kg_to_pounds_and_ounces_conversion_chart.pdfIn PDF document text
- http://zudilazo.pbworks.com/w/file/fetch/144523452/movitijexojadebodegowatub.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d61c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD61C | 3936 bytes |
SHA-256: 2db82d620362954f416c1972358186021da4fab46e96ddc728a3cc749ba47d9a |
|||
font_01_sfnt_off0000e42e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE42E | 5188 bytes |
SHA-256: 3002c4e822b6202dbcf40d7aaf480aaa78a1677e67e6cd7d0faf5042a1f16ed7 |
|||
font_02_sfnt_off0000f5be.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF5BE | 10748 bytes |
SHA-256: c4d9fdfcdf27bcaa6d2c751161dfd8d25a1f9b0c61bc05b22f55df2e1d9b60e8 |
|||
font_03_sfnt_off00011ad6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11AD6 | 17260 bytes |
SHA-256: c4aec8fc128d9a375fb14928741ee5afa93c85ed9d776a32248188fa885a7d02 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.