MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. The ML classifier strongly indicates maliciousness. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a malicious document designed to redirect users to potentially harmful websites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://soxebez.ru/123?utm_term=green+belt+training+pdf PDF link annotation
- https://nutakofo.weebly.com/uploads/1/3/4/8/134894975/meritotepobiz.pdfIn PDF document text
- https://mofumamivuzav.weebly.com/uploads/1/3/1/0/131070192/9450820.pdfIn PDF document text
- https://dizasufe.weebly.com/uploads/1/3/4/6/134680143/nexiput_dulom_juzap_zavatikog.pdfIn PDF document text
- https://mabaxezo.weebly.com/uploads/1/3/4/7/134766945/wigobusita.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://xoxafepapesu.pbworks.com/w/file/fetch/144729525/how_to_open_a_stanley_bostitch_stapler_model_b8hdp.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e2fb0e18-a755-4748-bed5-5c870ac69fff/wedivelev.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1851c9f0-2f98-4b04-b99b-09c5ac752a4c/big_buddy_heater_battery_door.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5240393a-0015-4de8-a77f-9a2da3355483/28882311721.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1c810167-22e2-4f8a-9df8-1a3ffda6d871/check_certified_mail_delivery_status.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e13c3b22-f3ee-432d-86be-a52bba722c07/kateg.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/53b46c74-58ce-4842-96c5-0d0b93e2a6e0/naza-m_lite_with_gps_kit.pdfIn PDF document text
- http://fuzujufod.pbworks.com/f/trai_h_si_tnh_c_v_b_trn_sstruyen.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/31405578-fa98-4474-ba61-8e3f3bb3357f/degizogomatojajo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c14f26a1-02ea-466a-b503-8dc2afd22347/sap_tc_display_inbound_delivery.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8b87c387-ade3-4f50-acc4-a8b582e831c3/how_to_install_self_adhesive_vinyl_tiles_on_concrete.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/19c6c77b-dbac-4b8f-8f74-046f44501621/56606214149.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c38265f0-edab-445d-a2ac-a00c2d61bae1/jatexos.pdfIn PDF document text
- http://zolunegoli.pbworks.com/w/file/fetch/144561762/kavoxevusaxote.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/532af3cf-65bc-4619-a1e0-db0e5e5a6c2d/ejemplos_de_palancas_de_primer_genero_en_la_vida_diaria.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a860f9f1-5ee4-40be-aced-5424599b3a3d/35692433916.pdfIn PDF document text
- http://podimil.pbworks.com/w/file/fetch/144491598/frp_bypass_apk_samsung_j7_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4199bb9e-7d05-4a3e-921d-3b8f8554fb76/line_6_pod_farm_platinum_amp_models.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/15daa9e9-76c7-48fc-a63c-bcd661e832b3/essential_oils_pocket_reference_free.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f2f5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF2F5 | 5204 bytes |
SHA-256: b5e56f58ccd12a6c9a673fba0a9c88b42119cde9bcef7c42ed6062abcac49495 |
|||
font_01_sfnt_off000104b4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x104B4 | 12112 bytes |
SHA-256: a26455a715340af4faee3e7142ee38bafcd9d95ec5f95d5ac14d7d314282f7da |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.