MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document contains a large number of external links, many pointing to disposable domains, indicating it functions as a link farm. The primary malicious URL identified is https://mezovuduw.ru/strik, which is likely used to redirect users to phishing or malware-hosting sites. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://mezovuduw.ru/strik?utm_term=mbti+personality+types+anime+characters PDF link annotation
- http://lajodibibodi.getenjoyment.net/bijofepowokogasufizalajop.pdfIn PDF document text
- http://aov.one/latest_south_africa_house_songstewr5.pdfIn PDF document text
- http://ranking-se.com/53731536687a9ywg.pdfIn PDF document text
- http://dapajibidamazed.mypressonline.com/18821488637.pdfIn PDF document text
- http://www19216801.site/fagajumenedu7u53a.pdfIn PDF document text
- http://dumubemajizukov.medianewsonline.com/libisosubutajeviji.pdfIn PDF document text
- http://ritual-venki.online/html5_header_nav_templatekhh69.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b7938886-7b54-4b00-b6d1-f31f9d56b881/94598233894.pdfIn PDF document text
- https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_7c1a6541ba9a4fadb67ed1da844e33d3.pdf?index=trueIn PDF document text
- http://pumajamidu.rf.gd/50591973544.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b896189-3f4c-497d-94d7-0ecfdb5cb696/collins_gem_sas_survival_guide_pocket_book.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/67dab358-83b3-4866-95ef-7a8fdb25d425/vizidazugeje.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6f495e9f-894f-4119-8151-d2da91262d4b/codigo_procesal_civil_y_mercantil_el_salvador.pdfIn PDF document text
- http://telusomabufa.onlinewebshop.net/1991_cadillac_brougham_owners_manual.pdfIn PDF document text
- https://128fc002-9ed4-4a8f-9a6b-83b43563a9ed.filesusr.com/ugd/6812d7_d1fdaa6ad05a4b96aa5e8c99ac8ec8ae.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/e1c42041-a614-4507-8d3a-ba44466f3c02/zexumotorofekatomo.pdfIn PDF document text
- https://6129906d-bc82-46a7-99f5-71793a58af3c.filesusr.com/ugd/d162e3_6ae6d19c613d4ad693e717a6656d5bbd.pdf?index=trueIn PDF document text
- http://sufixis.myartsonline.com/english_story_for_reading.pdfIn PDF document text
- http://lexekuduwowig.atwebpages.com/lefakutafos.pdfIn PDF document text
- http://modiwina.epizy.com/pimimi.pdfIn PDF document text
- http://gevejonitu.onlinewebshop.net/input_type_file_accept_docx_and.pdfIn PDF document text
- https://4b5f4e46-8b81-4257-bf39-61fc08ba57b0.filesusr.com/ugd/7ea8bb_0dbf5c6f8a9440bf8562854e045abe51.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013487.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13487 | 5420 bytes |
SHA-256: 2a0e550f5d4e1fbd8fc463fc14236338697289adbd227ab0782389c0eb4bcf7d |
|||
font_01_sfnt_off000146d9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x146D9 | 11336 bytes |
SHA-256: e443c5a07ea41f5abd2ee362c81afa50a3a4c0d00ce2612e321a3cbebc740530 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.