MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The presence of numerous external URIs, many hosted on disposable domains, strongly suggests a phishing or malware distribution attempt. The ML classifier also provided a high confidence score for maliciousness. No scripts were extracted, but the document body's garbled nature and the embedded URLs indicate a malicious intent to redirect users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://maypoin.ru/123?utm_term=chrome+android+hide+bottom+bar PDF link annotation
- http://alsamcctv.com/factory_reset_lenovo_t420s7ixjf.pdfIn PDF document text
- http://all-system7.xyz/8764584756aonep.pdfIn PDF document text
- http://prizinsta.site/warlings_mod_apkelw1o.pdfIn PDF document text
- http://rebelliona.online/free_bird_piano_sheet_musicpe91q.pdfIn PDF document text
- http://lalat.space/dakoxevofodevesizusuwixbdm9.pdfIn PDF document text
- http://tryraisins.club/264993028155dodo.pdfIn PDF document text
- http://chaptejvxz.fun/pivopivrvbuu.pdfIn PDF document text
- http://tesar-krd.ru/42199483731b039y.pdfIn PDF document text
- http://prizinsta.info/85071872420qqcge.pdfIn PDF document text
- http://formverifiedbadge.com/77196103570lw69w.pdfIn PDF document text
- http://ergors.space/what_is_the_best_humidifier_for_a_small_bedroomvdgz5.pdfIn PDF document text
- http://cheatyou.site/4882024781779yh8.pdfIn PDF document text
- http://pabixigenived.22web.org/bitbucket_previous_commit.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://1bf92926-22d0-44a1-94fb-b51843c41cd5.filesusr.com/ugd/762c1a_6c1e8cd3caa2440b89cb55d62f36bb7b.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a3d39900-c4b5-4045-aaac-3526705b64d4/type_h_transmission_fluid_equivalent.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a43692fe-a0bd-42b2-a934-e42f42470a11/12729176123.pdfIn PDF document text
- http://tekojexabutixas.epizy.com/40240536294.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f028f7b6-698e-4d76-91fc-17bfc35b4f12/nawozufojabobuxexakobaxid.pdfIn PDF document text
- https://5a4e7950-e122-4b3c-9cf7-894e7f5b1216.filesusr.com/ugd/76aeb6_1b0731d18f7543f5becabeb5fc50ca53.pdf?index=trueIn PDF document text
- https://f7cac2f2-528f-490f-9bef-cb2448a877de.filesusr.com/ugd/529ba0_1c3cad71fe704a85a789f1f856560b9a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f74944ad-d2fd-4c7d-beac-850274b4f772/gezineta.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000de42.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDE42 | 4900 bytes |
SHA-256: ef03e8093ce4640835e4bbe05410a28336a529035a3a77b7bc5eed412f8fa8d8 |
|||
font_01_sfnt_off0000eeaa.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEEAA | 2744 bytes |
SHA-256: 99ca08574c0f61703d69c95e98248c5d024aef0632fe13605c1c1e389329cf25 |
|||
font_02_sfnt_off0000fa54.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA54 | 10644 bytes |
SHA-256: 896e3f2dd342eb1966047fbfe52c75401c9d7cb76a20629a48db3cb8a092fd78 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.