MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. One of the primary URLs extracted is https://zajinet.ru/wix?keyword=silent+partnership+agreement+pdf, which appears to be a lure for users searching for partnership agreements.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/wix?keyword=silent+partnership+agreement+pdf PDF link annotation
- https://vinofuloro.weebly.com/uploads/1/3/4/8/134850824/34dd04c0b46201a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4492253/normal_5fe80caef0265.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4456389/normal_601394385bd88.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4493589/normal_60371f1def684.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4416500/normal_5ffcd3d597793.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4424361/normal_5fe8ea49935bf.pdfIn PDF document text
- https://wowererifawop.weebly.com/uploads/1/3/1/3/131384429/lusukepupa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4446772/normal_605d193e769ba.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476140/normal_6049f43bd28a4.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4393635/normal_5fef014a033d5.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4370280/normal_5ff68ef655758.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4413368/normal_5ffe959ac979b.pdfIn PDF document text
- https://vonupefofuba.weebly.com/uploads/1/3/4/6/134645630/rafezili_sukividazozi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4462056/normal_5fda47f935f30.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://c8f0d892-4c73-447a-841b-b6a48a565a7d.filesusr.com/ugd/928a57_fa1c16c82db04d82899a3f15944c0e7c.pdf?index=trueIn PDF document text
- https://27aa3d6a-fcc1-4574-a8e0-77dd5bf64dcc.filesusr.com/ugd/7683ec_43fade140dda463ab8d179d3a551873e.pdf?index=trueIn PDF document text
- https://f74ea38a-ab8d-49a0-8d31-9a1d7ce64423.filesusr.com/ugd/5ceade_802e2a9c2ce5469b9b4e3f8524b93761.pdf?index=trueIn PDF document text
- https://82cb18f6-4a40-4824-ac11-10070f72ce02.filesusr.com/ugd/5aec95_2d8b1d383dc949c58cb23c7447cc91a4.pdf?index=trueIn PDF document text
- https://275320ff-96dd-455a-9699-a0fdc58b27a5.filesusr.com/ugd/943725_b5cbf075a6ce4d94bc0fd6f615414731.pdf?index=trueIn PDF document text
- https://d497f082-4895-42de-a72c-038d9367c8a3.filesusr.com/ugd/8e727b_130bbaea73844e4d9b954d3bd042c668.pdf?index=trueIn PDF document text
- https://2c0370cf-43ec-4dc9-8589-ec1e7793a70d.filesusr.com/ugd/404058_edb9a346ef77499d93ae9584ed638916.pdf?index=trueIn PDF document text
- https://c07b3cb0-7d4a-4e65-9c62-eb3bd0ce3b6b.filesusr.com/ugd/7560d5_0b85675613774f78af0d3a24d86a4544.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f025.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF025 | 5560 bytes |
SHA-256: 03c943cfd5cf921164c3129327ae0eeec761fb93bd42a3033f3d478a145bd529 |
|||
font_01_sfnt_off000102dd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x102DD | 10404 bytes |
SHA-256: b886caafcc75253f0b59b31fb2481ab8cd51c46cce0608d0033baae54c7283ed |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.