MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses an urgency-based lure. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fokemale.ru/wix?keyword=the+scarlet+letter+study+guide+chapters+1-3 PDF link annotation
- https://cdn.sqhk.co/dijabidasu/4ojjVhb/latigo_in_english_word.pdfIn PDF document text
- https://cdn.sqhk.co/busunava/g4phcJR/73458354350.pdfIn PDF document text
- http://kavademive.sportsontheweb.net/wezokawaduzolurejajojota.pdfIn PDF document text
- https://cdn.sqhk.co/jifonakilux/iaW4Eid/popular_songs_of_the_50s_and_60s.pdfIn PDF document text
- https://cdn.sqhk.co/xidatelo/iih5xVv/28754581857.pdfIn PDF document text
- https://cdn.sqhk.co/nebinefis/HgcywWo/corporate_strategy_salary_london.pdfIn PDF document text
- http://zijukikov.mypressonline.com/el_nuevo_cine_mexicano.pdfIn PDF document text
- https://cdn.sqhk.co/jotenitix/jgcIjgJ/12389157618.pdfIn PDF document text
- http://lujadexezusunam.22web.org/24557184424.pdfIn PDF document text
- https://cdn.sqhk.co/kawinojos/cgjigfG/can_we_download_national_test_abhyas_on_laptop.pdfIn PDF document text
- http://mareson.getenjoyment.net/ielts_general_reading_test_tips.pdfIn PDF document text
- https://cdn.sqhk.co/kitujesijak/eijhZje/m_interesse_au_plus_haut_point_synonyme.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/3bfc0933-c7f9-4e35-8ad3-2f5780b0b4f9/56167782267.pdfIn PDF document text
- http://tipokeviti.atwebpages.com/how_to_enable_wifi_direct_on_hp_printer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b4f9af8f-68ce-4469-bf0e-81d17cf06e9c/kekeziseruvik.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3efa7ff8-c50f-4e84-9746-973c71838e26/what_is_the_keyboard_shortcut_for_a_screenshot.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/27354b2f-aa69-4688-bfdd-3241e22ddbdf/74213277762.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e0f3c35-ff5a-483d-ac7a-9226aa45154c/ridgid_tri_stack_air_compressor_home_depot.pdfIn PDF document text
- http://wokasob.rf.gd/how_to_make_a_photo_look_like_its_talking.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/178f447b-25ee-4075-bcbd-534ec3ade41d/73687573212.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3aa565c8-ac0d-48af-a554-e9df70eb7f51/my_cloud_ssh_access_denied.pdfIn PDF document text
- http://vatapusaf.rf.gd/pavitra_bandham_songs_now.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f446.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF446 | 5632 bytes |
SHA-256: c07f1493360431253d0297676262251199f1c9b063a29f6c998bacf5bda82091 |
|||
font_01_sfnt_off0001077f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1077F | 11412 bytes |
SHA-256: af848bd0661fa631f3a16fd05c210935a99d5bfc17356d74f7aa632e80bb1f85 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.