MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, many of which point to an SEO redirector. The primary redirector URL, https://zajinet.ru/strik?utm_term=changan+automobile+annual+report+2016, is associated with a phishing lure. ClamAV detection and ML classification strongly indicate malicious intent, likely for phishing or malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://zajinet.ru/strik?utm_term=changan+automobile+annual+report+2016 PDF link annotation
- https://wolagevujizerul.weebly.com/uploads/1/3/5/3/135316080/watugefikaxu.pdfIn PDF document text
- https://ragixadimeruwu.weebly.com/uploads/1/3/4/8/134897014/cb8008ac78395.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/9acacbf3-e64b-46cb-a8a1-4def6e540a67/luzejatovuwuwoforumurise.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cc71e1f3-feb7-4607-9d48-b96884b42935/what_is_a_perfect_score_on_the_sat_essay.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d7b050d1-c44a-47b0-978c-c765cf20844f/mass_communication_living_in_a_media_world_ebook.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e26a3be0-d4ab-4b34-9a7a-b44e92148970/summary_of_cien_anos_de_soledad.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/346492de-154d-482e-a5fa-b511d8290f90/hp_officejet_pro_8600_scan_to_computer_software_download.pdfIn PDF document text
- https://s3.amazonaws.com/mukut/kabali_tamil_full_movie_free_tamilgun.pdfIn PDF document text
- https://s3.amazonaws.com/xewamejixolefaj/house_building_budget_template_excel.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a001585c-253f-41c6-b769-cc2cc26d1a2c/32503000396.pdfIn PDF document text
- https://s3.amazonaws.com/pobixedele/romeo_and_juliet_act_3_scene_1_modern_text.pdfIn PDF document text
- https://s3.amazonaws.com/xubifupi/gamixananiz.pdfIn PDF document text
- https://s3.amazonaws.com/vojapu/modelo_de_memorandum_de_llamada_de_atencion_por_inasistencia_colombia.pdfIn PDF document text
- https://s3.amazonaws.com/zunaduxa/sepulederizogarago.pdfIn PDF document text
- https://s3.amazonaws.com/dewutexorob/dulubexij.pdfIn PDF document text
- https://s3.amazonaws.com/xovajukoxin/rajapiwumoxavota.pdfIn PDF document text
- https://s3.amazonaws.com/jezaxojipevu/57232552701.pdfIn PDF document text
- https://s3.amazonaws.com/tetenifeme/clauses_worksheet.pdfIn PDF document text
- https://s3.amazonaws.com/zobuwubedak/calendario_2019_escolar_2020_sep_195_dias_a_color.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/90c925c0-1052-4d75-b915-c45ab42a569e/nikon_coolpix_l22_battery_door_fix.pdfIn PDF document text
- https://s3.amazonaws.com/wizitifowubux/attarintiki_daredi_songs_naa.pdfIn PDF document text
- https://s3.amazonaws.com/muwemivumazulax/34054515433.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/adfa0faa-a7e5-446c-a0d3-cdcc82fbb9c2/how_to_wash_chicco_keyfit_30_car_seat_cover.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000112d5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x112D5 | 5580 bytes |
SHA-256: e89c98225c92ea39748906302e972629bc1d5248b0b302b127781f922c1b838d |
|||
font_01_sfnt_off0001259e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1259E | 11452 bytes |
SHA-256: f4cae37666a6d50dad1fcbd6fb0a59a117b581d6e3c4015485b7a8ce18f67a09 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.