MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO spam operation. The document body, though heavily obfuscated, appears to contain keywords related to a product manual, likely a lure to encourage users to click on the embedded malicious links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://resalured.ru/wix?keyword=capresso+infinity+grinder+manual PDF link annotation
- https://fubalaxusagipun.weebly.com/uploads/1/3/4/1/134108832/judeze-susapelemowifo.pdfIn PDF document text
- https://larulesa.weebly.com/uploads/1/3/4/7/134717423/zapiru.pdfIn PDF document text
- https://cdn.sqhk.co/kipezipilojo/g0Vjejg/hungry_pigeon_instagram.pdfIn PDF document text
- https://cdn.sqhk.co/zotiperugi/5Yjijba/baleful_strix_double_masters.pdfIn PDF document text
- https://fabuduviwanor.weebly.com/uploads/1/3/4/7/134739750/288492.pdfIn PDF document text
- https://kabenodetaxixum.weebly.com/uploads/1/3/4/7/134754863/bomulejewipoviz_pamisowojipi.pdfIn PDF document text
- https://midubumiw.weebly.com/uploads/1/3/5/9/135989619/1d32ce9bf1.pdfIn PDF document text
- https://mitanifujokuvu.weebly.com/uploads/1/3/0/9/130969645/ca8503a9eec6f.pdfIn PDF document text
- https://zewemoledomuro.weebly.com/uploads/1/3/4/7/134746436/edd3b276db53.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://juzodut.rf.gd/john_deere_316_mower_deck_belt_diagram.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/797f15ef-d860-40b9-bcc4-85811f3a20ed/23836858322.pdfIn PDF document text
- http://fijetetesozaw.epizy.com/pazikamagoruxunetuviru.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/af50d957-682c-4ed1-8d82-63fd1df1e819/85289049457.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/16577d55-dd43-4b63-8bf3-e6f69fbc5c08/how_to_fix_a_loose_coaster_brake.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd3527d7-8c8d-4bdb-9e5e-4d4b7e97c069/73021655240.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9959dc44-da64-43aa-bd7c-e1aa4c4a0dbe/gebexowevosuwafaditalirot.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/870885ee-ab89-412a-97b1-c361c005985f/57841829960.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ad108a19-20a2-48a4-ba17-d3806155bfbf/7301547475.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d280.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD280 | 5368 bytes |
SHA-256: 563300deb7b27e8020ff69e02f96abe9f1fe55f66e05b663069a30cf3c7e0eca |
|||
font_01_sfnt_off0000e4b4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE4B4 | 9952 bytes |
SHA-256: b8df33c0d7973dd944a184ad41b98ed1a183e5412d5aa4493327c2be6591bfbf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.