MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://lozipotod.ru/strik?utm_term=how+do+i+reset+my+kenmore+elite+smartwash+quiet+pak+9 PDF link annotation
- https://static.s123-cdn-static.com/uploads/4393016/normal_5fe3830ed473f.pdfIn PDF document text
- http://dfahsdfgjsfg.online/67161859609t9yat.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4411916/normal_603f987599539.pdfIn PDF document text
- http://naturka.space/vexasewoxepimelekugozxcm2.pdfIn PDF document text
- http://carinsusa.info/spectrum_math_workbook_grade_8_free92cvz.pdfIn PDF document text
- http://lnstagrambusiness.com/relative_frequency_probability_worksheet_with_answers4k6ug.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4496812/normal_5fede0e6f1d57.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4408721/normal_606ea92953148.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://e2a12503-e9f4-4898-9b1e-00959bf5a9c8.filesusr.com/ugd/1f0de7_136d8c25f065418ebff1533f613144b0.pdf?index=trueIn PDF document text
- https://b54663a3-ff9d-4122-b75c-69b71428c9b0.filesusr.com/ugd/cfa91a_7fc956594b844e21a7549c130f1b5859.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/werowibovezoje/whirlpool_washing_machine_repair_centre.pdfIn PDF document text
- https://s3.amazonaws.com/feseni/witolifi.pdfIn PDF document text
- https://a43ab9c2-5efb-4cee-ac06-b782a0f5e207.filesusr.com/ugd/4826f5_962485fbf6ed4c13b6b53abacb896dff.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/09c4c04d-61f7-44f2-8c51-ee00f6f1df7b/pefuxo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0cf51167-95a8-4db5-9945-a22dd1047f6c/asus_rog_maximus_vi_hero_drivers.pdfIn PDF document text
- https://s3.amazonaws.com/libosokune/how_to_disable_restricted_mode_on_android.pdfIn PDF document text
- https://083189c9-8220-4687-a375-57be19a37228.filesusr.com/ugd/909b15_25972613e3d545ec8ecf4ad477aeedad.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/xuvamuba/compliance_testing_report.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/47911e10-9918-4c30-9df0-755cecacabc1/samsung_xpress_sl-c480fw_toner_schwarz.pdfIn PDF document text
- https://5563968e-3cf5-463b-8312-7915ab8a4794.filesusr.com/ugd/cd90d1_0182066016a546c19202d3e634ddbd53.pdf?index=trueIn PDF document text
- https://f770b3d7-c897-40e0-9323-5ad0abd91552.filesusr.com/ugd/1fa6dd_6d26b5f74bae494ca8bfb888d994b325.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e136.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE136 | 5700 bytes |
SHA-256: 3d117cb8e15fe6bfe10893be563678fb88b288b42898d0968b1af4e5f326bc82 |
|||
font_01_sfnt_off0000f47a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF47A | 10740 bytes |
SHA-256: c64376afb5ad93152f54927bbe683229cfd64ac5fb074abaa6abc08042fa4c0f |
|||
font_02_sfnt_off00011929.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11929 | 16632 bytes |
SHA-256: d6aeca2d71d065aeba00d03c50d672d3ba05f186ce264dc70760bb3990d11dd0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.