MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating high maliciousness. It contains a large number of external links, suggesting a link farm or redirection mechanism. One of the primary external URIs, 'https://jacksth.ru/123?utm_term=alarm+app+android+free', is likely used to direct users to a malicious site. Although no scripts were explicitly extracted, the PDF structure and link farm behavior are indicative of a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/123?utm_term=alarm+app+android+free PDF link annotation
- https://static.s123-cdn-static.com/uploads/4484807/normal_5ff15a24a21d1.pdfIn PDF document text
- https://nazesamujev.weebly.com/uploads/1/3/1/3/131397942/retabajopafaxele.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417824/normal_60264b271741d.pdfIn PDF document text
- https://pigudoxuwupif.weebly.com/uploads/1/3/1/4/131437670/6408983.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416928/normal_60181bcb82f3b.pdfIn PDF document text
- https://pupiwikupexi.weebly.com/uploads/1/3/4/3/134348736/3912940.pdfIn PDF document text
- https://girowefado.weebly.com/uploads/1/3/5/3/135349553/4527271.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4469633/normal_600ae9ac73d53.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418762/normal_605c29a4747cd.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/29f47068-a6f4-437d-8005-c848d807c5ff/learn_english_free_online_british_council.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/58864fc6-851c-48c6-a24a-af037e7ffe1f/kijeluli.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/312a3734-4643-4a6f-b5dc-6ae0de3bad6f/37124611684.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c07877e-6735-40f2-a8f9-41b02626d8b1/13395383884.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8c069853-2097-4bef-92ea-5f0ac100c189/to_kill_a_mockingbird_full_movie_free_hdfy.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/835e7153-75d0-4db9-a8fc-00135b04cacd/dell_latitude_e6410_i5_8gb_ram.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dae6a7d7-c982-431c-b393-1340d570b3c0/enriques_journey_summary_prologue.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/92d59b4a-03c1-42bf-ac99-24e43ee16a4f/pedro_paramo_english_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5e60a4b6-3aa6-41c0-8f52-705a8bf8761c/41551924461.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b03d4afc-708d-4738-b590-7a2b22b5011e/troy_bilt_pony_drive_belt_adjustment.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/98c7759d-ddf7-4b16-8b64-cca9e3928606/how_to_improve_drawing_quickly.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6528e213-df0c-456e-ad18-88a5daf144cb/does_arbys_have_waffle_fries.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa075dae-9697-4fe4-9368-7ee924f51f75/guvama.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f4f2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4F2 | 4708 bytes |
SHA-256: 5bf75240467059f979285bf4eb6fd2d817d2db2bee752fdd2b48d273dc54e075 |
|||
font_01_sfnt_off000104c6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x104C6 | 11180 bytes |
SHA-256: 2fab341f142547db640fb499dde57ca22f717d45bc7c5402866fc5f56dbba46a |
|||
font_02_sfnt_off00012adc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12ADC | 4324 bytes |
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.