MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, appears to be a lure related to 'Wordly wise book 8 answer key lesson 9', aiming to trick users into clicking the embedded links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 7
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://baarspo.ru/award?keyword=wordly+wise+book+8+answer+key+lesson+9
- http://sefegusekepuxa.mypressonline.com/hp_elitebook_2740p_ram_specs.pdf
- http://xexapitanegis.getenjoyment.net/vegefepovimuwepexil.pdf
- http://paxezot.getenjoyment.net/bella_vita_salon__day_spa_leavenworth_ks.pdf
- http://lenusabipowezo.getenjoyment.net/35532684770.pdf
- https://ritosameb.weebly.com/uploads/1/3/4/2/134266106/pikozefoginuf.pdf
- https://duxoberadu.weebly.com/uploads/1/3/4/7/134718286/xajefusewiziwigix.pdf
- https://gobodozi.weebly.com/uploads/1/3/1/3/131398455/9678146.pdf
- https://rofazipupu.weebly.com/uploads/1/3/4/5/134580110/kifoxafujiru.pdf
- https://tafubevodila.weebly.com/uploads/1/3/4/0/134016741/ronopopepezab.pdf
- http://tivirazetuxozux.22web.org/bahadur_bengali_full_movie.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_a891a41f2d0648749ed6961c0f8e3d25.pdf?index=true
- http://rowomasogig.epizy.com/investigation_report_sample_template.pdf
- https://8cff94d3-ecab-4ea5-ad27-d3e67d02fd32.filesusr.com/ugd/2813e2_71c7f0172fce4a8aac2aee1ead6b9ea9.pdf?index=true
- https://s3.amazonaws.com/fotepopunaj/josipovuzupipizun.pdf
- https://e20d271a-53e3-41f9-9180-d6cd5f9fd148.filesusr.com/ugd/6cfc61_550b5950c2af4940a665eb25b0617f1e.pdf?index=true
- https://6a24fdd2-d4a5-4c4b-882b-0f3115751bcf.filesusr.com/ugd/04e6f9_d728e27fcbe340bba4b1ab7739d64e30.pdf?index=true
- https://s3.amazonaws.com/vebenok/wakudajezutedid.pdf
- http://petizitopebil.epizy.com/60134776999.pdf
- https://24a70dd4-b549-4b9e-9c0a-6eea45ab85ad.filesusr.com/ugd/ab0c63_e21ab10ee7d3468cad92fe93e9e760ec.pdf?index=true
- https://7a512b58-7189-4bc4-8343-f643fa9054c9.filesusr.com/ugd/1e52da_cd097962757f422480c77363662e332d.pdf?index=true
- https://8cff94d3-ecab-4ea5-ad27-d3e67d02fd32.filesusr.com/ugd/2813e2_9e0e953ef5fe4c8bb3baeb6b358929ac.pdf?index=true
- https://s3.amazonaws.com/kavugusepe/literatu.pdf
- https://f608bf75-187c-4b28-9621-af925c05c2b6.filesusr.com/ugd/05e3ad_f39c0d53af724e96a776739d7a330ef3.pdf?index=true
- http://jupegojut.atwebpages.com/dekifazulawaxetos.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f31f.bin498a1da5164e2f7143369c0efde39b2f6a9f4284d01981165956c438197699b7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF31F | 5288 bytes |
font_01_sfnt_off0001052e.bin0bffd705c9a6c414e42a2e2bcaa5fe16f095ab280e204cd286cd92f34742cc43 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1052E | 10604 bytes |
font_02_sfnt_off0001295d.bind1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1295D | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.