MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses brand-impersonation credential phishing. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://vopilexazum.weebly.com/uploads/1/3/2/7/132740267/lopitaxomavuzenamil.pdf.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/strik?utm_term=sign+of+the+beaver+book+study+guide+pdf PDF link annotation
- https://static.s123-cdn-static.com/uploads/4486523/normal_5fe19be51585d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416304/normal_6022fb09a486e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4405904/normal_600bbaa8aa350.pdfIn PDF document text
- https://vopilexazum.weebly.com/uploads/1/3/2/7/132740267/lopitaxomavuzenamil.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4450723/normal_5fd059b47c71a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4365635/normal_5fc6dfa48b4a2.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4485942/normal_6005c647b102c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4385004/normal_602edd7bad383.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4415739/normal_5fe1fbc509f4f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367961/normal_60321ddb5e1dc.pdfIn PDF document text
- https://sanupeden.weebly.com/uploads/1/3/5/9/135961416/9c8fdc3fb8abc.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/973420aa-6b4b-4b56-97c0-4904acb47b04/wayne_dyer_books_amazon.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bd590315-c19b-4d51-8b05-ef6fc339ffda/42766342685.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/38bb178c-2321-4e59-9a15-1f70da84df66/pemururorarukaxi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c289eb50-8fd4-433d-860e-73acbcbf22f8/the_challenge_war_of_the_worlds_2_finale_reddit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/961500e0-15b0-489c-8d37-a48802d7ed48/robert_adams_middle_school_calendar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/80440064-bc89-47b5-a4bd-92eda1cf4eeb/86123247788.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1e407023-18dc-4091-b8bc-b137c8ef5246/muxupow.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e0a8b910-edff-4444-bdfb-64cb536625d3/ikea_kullen_3_drawer_chest_instructions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/140d7515-c978-4812-8986-8b98ae2e22d4/bruce_lee_songs_lyrics_in_telugu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/577900df-ec38-4582-a23f-ec5c8c535756/55639123795.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c260c1c9-f37e-497b-b8a8-615aed791a62/kexopatona.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/13545dff-2160-43dc-ad30-d2f73a0fc947/how_to_connect_turtle_beach_stealth_600_xbox_to_ps4.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f849.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF849 | 5740 bytes |
SHA-256: 00ba6317b08f59991176ea345824c3097477b8e5cab3ac85add5e27956b5120a |
|||
font_01_sfnt_off00010bd7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10BD7 | 10784 bytes |
SHA-256: 338485135fd503011be8f1f5ea1861876b84628094c55ea4c02426cc42dd202f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.