MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://golowaki.ru/strik?utm_term=honeywell+vision+pro+8000+install+manual PDF link annotation
- https://dugitesabisaxo.weebly.com/uploads/1/3/4/3/134392589/7826295.pdfIn PDF document text
- https://wofexajolevesi.weebly.com/uploads/1/3/5/3/135302186/2437952.pdfIn PDF document text
- https://fasorijaj.weebly.com/uploads/1/3/4/5/134501708/cbe80.pdfIn PDF document text
- http://arendagg.xyz/table_top_christmas_tree_with_lights_uk8dy33.pdfIn PDF document text
- http://latirogemiwufiz.22web.org/bose_901_series_6_price.pdfIn PDF document text
- https://lafadulow.weebly.com/uploads/1/3/4/5/134591129/56cbf060.pdfIn PDF document text
- http://italystore.pro/metawewukujugivepelosokevqnx.pdfIn PDF document text
- http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdfIn PDF document text
- https://seroselek.weebly.com/uploads/1/3/4/6/134636573/9305360.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://3b0fe5ff-7f86-489c-8138-fc984e51136c.filesusr.com/ugd/bfd78a_ab22a32b0d9f43e09a7a884bb57df08e.pdf?index=trueIn PDF document text
- https://7f3356c1-ec1f-498a-9d41-5b36c14d87b7.filesusr.com/ugd/98d33d_4fc6bff0daed44589f93fd39650e5b7c.pdf?index=trueIn PDF document text
- https://a8a2d6b8-6248-42a0-90a4-e25e421c2e59.filesusr.com/ugd/f63f29_2f787f1ee0b14a589c20c9f9037af866.pdf?index=trueIn PDF document text
- https://cdfb6f36-dde2-4af5-b3b7-55ff39976061.filesusr.com/ugd/c6ac46_68d2d6eabfde4193b29b1b2e6c4cf805.pdf?index=trueIn PDF document text
- https://d5f1d3db-1598-48d0-a061-764c190a6564.filesusr.com/ugd/866690_534c25a9ae0b42ed816bce40a9e32532.pdf?index=trueIn PDF document text
- http://bitugoxopezuwu.rf.gd/47624488082.pdfIn PDF document text
- http://zivosefim.rf.gd/80041460073.pdfIn PDF document text
- http://dufogatate.epizy.com/mandated_reporter_mn_vulnerable_adults.pdfIn PDF document text
- https://e8c82854-2a0b-4c0f-82de-bac600ce06e6.filesusr.com/ugd/d017d5_12f7807e19754df3852f238df0d0879b.pdf?index=trueIn PDF document text
- http://mumeriladokovot.epizy.com/60435669278.pdfIn PDF document text
- https://02ee9779-94d6-4ec7-959f-c0f99fe19a35.filesusr.com/ugd/cdc607_97f5db9b47a44f989e594a88e3cc35f0.pdf?index=trueIn PDF document text
- http://kojaburu.epizy.com/rekubur.pdfIn PDF document text
- https://a5fc3680-5c08-4cda-bd6c-abaa3bdf25bc.filesusr.com/ugd/ea5d7b_32bc9947f66141e7bc1aa4bdc8acd3ec.pdf?index=trueIn PDF document text
- https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_0cba5d9e722d4343bd0e9047172561d7.pdf?index=trueIn PDF document text
- https://8d94caac-80d5-4f6d-a73a-04ed47837dc1.filesusr.com/ugd/585b1d_9d98bb60e4074b4e83310464ad8988b3.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000de47.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDE47 | 5516 bytes |
SHA-256: acb16d351d4363cbd0e0118736eb7cfc4231a26a4fc39fc752f25359c8e3baec |
|||
font_01_sfnt_off0000f10c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF10C | 11444 bytes |
SHA-256: d1479c9ca42111a776509ebab6a5ffefc7109172e44ff4707c9e80eb446d290e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.