MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ponafet.ru/strik?utm_term=what+causes+a+sewing+machine+to+skip+stitches PDF link annotation
- http://tinuliv.22web.org/69179976297.pdfIn PDF document text
- http://motogulexeb.iblogger.org/sizexojawotas.pdfIn PDF document text
- http://jamidufabe.iblogger.org/makalah_buerger_disease.pdfIn PDF document text
- http://toselarasomax.iblogger.org/73195337335.pdfIn PDF document text
- http://mavavuvew.22web.org/que_es_angustia_desde_la_psicologia.pdfIn PDF document text
- http://rawitotizoxuk.scienceontheweb.net/sitazepoke.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://tiwatimab.atwebpages.com/how_to_treat_metabolic_acidosis_in_renal_failure.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7909653a-b8c7-4772-8fde-a282d843d3ab/software_tester_job_requirements.pdfIn PDF document text
- http://furularotomapu.epizy.com/ad_agency_profile.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/81f8a5d3-9319-4e4c-a1d0-1a3ea9a00e21/40248885474.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7d188468-88db-4aa2-b0fc-10b173f15c71/adding_i_pilot_link_to_terrova.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d2a42067-d3ca-4477-b062-e6ce2b29b119/fire_vs_ice_dragon_movie.pdfIn PDF document text
- http://kigokigaruv.myartsonline.com/pivubuzixusekakumunisof.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3b94e7f1-d7d2-4d04-a861-08d099da9224/puvelidezu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/255603e7-bc7a-4904-b93b-a41b9613de47/vifixumobus.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8c18eeda-bb7e-48dc-84c5-060d40316746/stec_55x_autopilot_installation_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/91d0368c-663f-431f-98a1-29082119ec86/v_for_vendetta_quotes_v_speech.pdfIn PDF document text
- http://josesomesube.myartsonline.com/sodewarujumo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/224a4203-8786-4410-8ad6-695dc4fb89df/41606950422.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a8a5b631-a10f-4c97-a9c4-db25cee00d6f/analisis_literario_de_la_metamorfosis_de_ovidio.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a855ddfb-88a3-4237-bfd4-af06d8213ebf/how_to_get_tracfone_unlock_code.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bda8163a-68b2-4900-97da-c9f94e76c835/1254439586.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f0da.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF0DA | 5388 bytes |
SHA-256: b0995cfabdc24f1518251f8c21ca1434d1f11ee4e03bcfeca95916a17ca02ff3 |
|||
font_01_sfnt_off0001032d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1032D | 10588 bytes |
SHA-256: 54bc98daba4f626a13b4c5c0038b94b09fe181864f4be05a95788cb00d908b64 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.