MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9973
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://chcial.ru/pbw?utm_term=how+to+combine+two+photos+into+one+pdf PDF link annotation
- https://nunubawuguxage.weebly.com/uploads/1/3/7/5/137504951/9790977.pdfIn PDF document text
- https://rogetaguw.weebly.com/uploads/1/3/1/4/131407632/rosafesaligogutaxu.pdfIn PDF document text
- https://lotozuxefad.weebly.com/uploads/1/3/4/3/134316708/jewome.pdfIn PDF document text
- https://menajogatidufe.weebly.com/uploads/1/3/0/7/130740573/2845235.pdfIn PDF document text
- https://vovejurumek.weebly.com/uploads/1/3/4/6/134644047/bajexijekaliri_xotupadar_nenazakamube.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://xutosop.pbworks.com/f/31786288311.pdfIn PDF document text
- http://venatulafiz.pbworks.com/w/file/fetch/144425490/all_pokemon_seasons_dvd.pdfIn PDF document text
- http://nitezug.pbworks.com/f/learning_colors_in_spanish_worksheet.pdfIn PDF document text
- http://wiliser.pbworks.com/w/file/fetch/144475317/ethics_in_engineering_mike_martin_and_roland_schinzinger_4th_edition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3995da09-5142-4952-b27d-ac917963adba/narekosofepizuz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/159a32ad-5192-4550-84c3-feabf3d68ab0/71735140972.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d02ed35d-07f7-45eb-9e23-f475a493e3a4/jifikurivuvolivimiwa.pdfIn PDF document text
- http://nunaruribeg.pbworks.com/w/file/fetch/144411717/98229552470.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/05767fac-4e6e-4421-bad5-e19661c4e9f2/what_are_good_chest_workouts_at_home.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1a727af6-bddb-41e2-9a92-13d13cd80124/matizozeniseb.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a7f08b0c-3757-4327-a72c-5a269de851f9/1967_ford_mustang_shelby_gt500_price_in_india.pdfIn PDF document text
- http://xumefosux.pbworks.com/w/file/fetch/144579579/60105319801.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9987a09f-ae72-4f1c-93a7-a8ed8f023007/xonidasugus.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c6decb9-da0b-4b29-bc2d-bec55b0b462c/csr_8510_a10_driver_windows_7.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e78b4d63-cfac-43bf-9587-abf79f8f465c/nobozowiwenadenibewagefo.pdfIn PDF document text
- http://natizasex.pbworks.com/w/file/fetch/144411627/81675001342.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/18d97517-b14b-408c-bdc0-208755ce6f4a/how_to_lock_schlage_keypad.pdfIn PDF document text
- http://dekokos.pbworks.com/w/file/fetch/144423546/71954007477.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c26b5fe3-8cea-4537-a7d4-188ee47ad8ee/65799314629.pdfIn PDF document text
- http://nusuwoxub.pbworks.com/w/file/fetch/144413532/can_i_file_my_own_separation_agreement_in_nc.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f8df.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF8DF | 2960 bytes |
SHA-256: 4c688c0676da4c9c3f1d636d29496b85ed1f90b4285ee9b780884cc7de0e34ac |
|||
font_01_sfnt_off0001034f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1034F | 5248 bytes |
SHA-256: 6995fe646ae8d2c1db926d0386d22e7cb1381bca81d0d41cf7a9dd82af3deb0d |
|||
font_02_sfnt_off0001150f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1150F | 3092 bytes |
SHA-256: 41e6e99b10617d737f01889771d7b1b3ced7ffc02275dce335d68a6a706ac4f0 |
|||
font_03_sfnt_off0001224f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1224F | 11608 bytes |
SHA-256: 0a02790069c8c26d21a898c1c8ef3081926558f70d0de0974c2739cfd07a684c |
|||
font_04_sfnt_off00014a0e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14A0E | 16336 bytes |
SHA-256: 92ca5277a07040a1118e6ffe557fff1b4332eaf15e577e4df2dfa25513d903e2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.