MALICIOUS
254
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, with a significant number pointing to disposable hosting, indicative of a link farm designed to distribute traffic. The presence of a PHP webshell heuristic and ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests malicious intent. While no scripts were directly extracted, the overall structure and heuristic firings point towards a phishing or malware distribution scheme.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PHP webshell / backdoor source critical WEBSHELL_PHPThe file contains PHP server-side code with the signature of a webshell/backdoor (named PHP webshell banner (WSO0)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/wix?keyword=geometry+unit+4+test+congruent+triangles+answers PDF link annotation
- http://vemexulitoko.iblogger.org/chundari_vave_song_kuttyweb.pdfIn PDF document text
- https://lodufokokafapav.weebly.com/uploads/1/3/5/3/135346761/wusamonoler_nagivo_kipugepoziwup_wusikomarefaso.pdfIn PDF document text
- https://sijawakupud.weebly.com/uploads/1/3/0/7/130740213/fumifaxeriwimi-pofiz-kugekori-xebojatofejid.pdfIn PDF document text
- http://tivadejasuxaso.22web.org/20263290956.pdfIn PDF document text
- http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://bcd7deca-fd5d-492b-a220-d373ca515bc9.filesusr.com/ugd/12f4eb_9df60d6353794483aa44eae11ced30f3.pdf?index=trueIn PDF document text
- https://d4a58959-25bc-41ae-a48c-99f47e3c4711.filesusr.com/ugd/4dab1e_a4dcd13d7e2640499780c84c6d0a53ae.pdf?index=trueIn PDF document text
- https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_1a0e40723458452798a9aae35e9554d5.pdf?index=trueIn PDF document text
- http://tositasi.epizy.com/65107755677.pdfIn PDF document text
- https://s3.amazonaws.com/tuzakifezara/34700404781.pdfIn PDF document text
- https://8eccd3b7-fb20-4588-a5b5-4d8c58591879.filesusr.com/ugd/0e6328_75f0b3421d834d27b545844be4f4f812.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d7b804ea-ab3f-4b21-b831-eed8995be92e/necchi_supernova_ultra_mark_2_istruzioni.pdfIn PDF document text
- https://s3.amazonaws.com/didowugorokirug/information_technology_project_management_7th_edition_answers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ccc221b2-a45c-403e-91f3-1052c3ca9af4/7613219129.pdfIn PDF document text
- https://fe2b84af-b373-48e0-a714-f820169e3fe9.filesusr.com/ugd/ed1d2e_43a83eded8c7474ea2331cbe859c9dec.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0a2845c7-4551-42ed-a38a-c0862a59d10e/how_to_reset_a_lg_headset_hbs_750.pdfIn PDF document text
- https://84daacc9-7e90-4c5d-b1ed-526950900c49.filesusr.com/ugd/73f3b0_2e9a16fb684f4a4b9ea0616d19f22eb9.pdf?index=trueIn PDF document text
- https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_7f88eb7743f74ab2b550f2601d1525e4.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/kegovev/flat_rental_contract_template_uk.pdfIn PDF document text
- https://37976aa0-f55f-47d3-847a-8d185b13ebf6.filesusr.com/ugd/1d6212_aa0afe21150c4cbf82084a491eeeb46f.pdf?index=trueIn PDF document text
- http://nolonogatifotop.epizy.com/nigiwenubanigalen.pdfIn PDF document text
- https://s3.amazonaws.com/kotenu/dell_ultrasharp_u2410_specifications.pdfIn PDF document text
- https://5a98ae10-8c7e-48da-b83f-9bcbc644cfa3.filesusr.com/ugd/9a8764_43066e4e8fa34e5e959f0646181e5776.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f700.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF700 | 2048 bytes |
SHA-256: cddecdff5bc3e72f46ea06cdd93bd3399fde1be52cab752d355fcb55274740b1 |
|||
font_01_sfnt_off00010075.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10075 | 5432 bytes |
SHA-256: 2e7f275183f22923315e1c8d45f6587e37120d0e77a41b5003fd055f8f6a656f |
|||
font_02_sfnt_off000112fd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x112FD | 13000 bytes |
SHA-256: 218b959ddcc70f523c2831121510d95c3bc07da87583b54f6153be5d1a9a0911 |
|||
font_03_sfnt_off00013e23.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13E23 | 16208 bytes |
SHA-256: 3b880ae8b046db85d3eebc4a95fc0ab9d4b5f015cb69e0a38438a493accdac43 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.