MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains numerous embedded URLs, many pointing to disposable hosting services, suggesting a link farm designed to redirect users to malicious content. The primary malicious URL identified is https://pistant.ru/pbw?utm_term=the+nearest+pawn+shop+to+my+location, which likely serves as the final destination for the phishing attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9954
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pistant.ru/pbw?utm_term=the+nearest+pawn+shop+to+my+location PDF link annotation
- https://vuzizakepavojen.weebly.com/uploads/1/3/1/4/131484090/920d069e6413ee6.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4496402/normal_5fc835a11ba1a.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4390057/normal_604ef75d0f669.pdfIn PDF document text
- https://pukelubaluwo.weebly.com/uploads/1/3/4/7/134741361/5dbfa2.pdfIn PDF document text
- https://tewosafaxuw.weebly.com/uploads/1/3/1/3/131379700/5814884.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4501214/normal_5fd04a1483fa6.pdfIn PDF document text
- https://lupuxamugegudi.weebly.com/uploads/1/3/4/6/134623484/kevimafaxowaxi.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379049/normal_600092fcb8056.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489730/normal_60bf37cc4a7b7.pdfIn PDF document text
- https://ronunafo.weebly.com/uploads/1/3/1/8/131856498/dafamo_refijafaxakoso_zogeludosufi_vexaxobimuj.pdfIn PDF document text
- https://vojitimene.weebly.com/uploads/1/3/4/5/134596684/6ed84.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485818/normal_6039a069b44e0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450356/normal_600a5f4d3f2c7.pdfIn PDF document text
- https://nexezosig.weebly.com/uploads/1/3/4/4/134460983/524022.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4403274/normal_600e0244c144e.pdfIn PDF document text
- https://gabinomila.weebly.com/uploads/1/3/4/7/134763369/xojub.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://vananizi.pbworks.com/f/mebozesifobepibotezalimo.pdfIn PDF document text
- http://risuxujuvu.pbworks.com/w/file/fetch/144483309/54657025341.pdfIn PDF document text
- http://poxanoralanu.pbworks.com/f/24978651804.pdfIn PDF document text
- http://fisagibop.pbworks.com/w/file/fetch/144938199/bijusonibevegamiwotuvosez.pdfIn PDF document text
- http://kunozulig.pbworks.com/w/file/fetch/144755787/how_to_write_a_meeting_invitation_message.pdfIn PDF document text
- http://fadoposapat.pbworks.com/f/36502319677.pdfIn PDF document text
- http://molujox.pbworks.com/w/file/fetch/144893352/tevunekibubupo.pdfIn PDF document text
- http://jetubabup.pbworks.com/f/12864245927.pdfIn PDF document text
- http://zepupifob.pbworks.com/f/sepuretaxikuwogo.pdfIn PDF document text
- http://nomebazeregi.pbworks.com/f/36116826721.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ece8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECE8 | 3272 bytes |
SHA-256: 42f2885f35c5d44051fa9553c160cece5f62632ca4849d5d091ab0e816752b12 |
|||
font_01_sfnt_off0000f88c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF88C | 5316 bytes |
SHA-256: 7448b04caf273991c1f69b945baf7c50d1f93a771b8efbf6b8d94850644931af |
|||
font_02_sfnt_off00010a8e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A8E | 10004 bytes |
SHA-256: cdad98a8c057baf565d6dfb2db221d8b143debc729345b8a4d5240e6db6ce009 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.