MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous links, with one specifically pointing to a known malicious redirector. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. The document body, though heavily obfuscated, appears to be a lure related to a printer service manual, aligning with the phishing pretext.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/wix?keyword=brother+mfc+9840cdw+service+manual In PDF document text
- http://serovakarara.mygamesonline.org/xofekavov.pdfIn PDF document text
- http://rebibedo.mywebcommunity.org/kiluluwodal.pdfIn PDF document text
- http://waliduv.mypressonline.com/lenovo_t420_charger_specs.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://1a2149e7-ca7f-4e7c-a584-0e483de6f3af.filesusr.com/ugd/9219f8_829ec6de7dbd42d08e2678cacf3fdfba.pdf?index=trueIn PDF document text
- https://d6ac5066-27fc-4e71-a07d-b30af50dfe8b.filesusr.com/ugd/934fc3_dc7314a5685943398ac23ce8ebb82d10.pdf?index=trueIn PDF document text
- https://c1cb471f-fc5c-4ef2-b3e1-4d0d0d09d135.filesusr.com/ugd/cc5b41_47f01a592e29430387f534dad0dc2af2.pdf?index=trueIn PDF document text
- https://64e1471b-64f8-4582-b127-b1692805dd1b.filesusr.com/ugd/507a3d_94a3d6d222314c6eae189d315c67d1c0.pdf?index=trueIn PDF document text
- https://18e99e0c-7034-4a8c-9069-267580a295b8.filesusr.com/ugd/b337f5_4fbc33353bb1453b90b00d73863d6b48.pdf?index=trueIn PDF document text
- https://933527c5-e005-4225-a3aa-05fee46c7696.filesusr.com/ugd/b51dd5_cf63e706f6904e93831733cacc550e7f.pdf?index=trueIn PDF document text
- https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_494a8c96f13b41f8908243180cac411a.pdf?index=trueIn PDF document text
- https://a765b249-d442-4b07-8ea9-8318d996b894.filesusr.com/ugd/902d29_756d0a4fa6b9440f9d33a55e1c2cce21.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/d59a3bff-a849-4246-a822-6e10d63c8a79/sueo_de_una_noche_de_verano_silvio_rodriguez_lyrics.pdfIn PDF document text
- https://s3.amazonaws.com/fowonaxul/mla_bhatti_vikramarka_songs.pdfIn PDF document text
- https://0ecef3a8-5193-4df1-8dcb-1b7dd0f2be2a.filesusr.com/ugd/e6092c_1a28dfd3a2ce44798fc9e068e397f21a.pdf?index=trueIn PDF document text
- https://67258aaf-84c5-4a88-bfd2-1aa7ddb6c27a.filesusr.com/ugd/850f07_70901d669d7b408abeef064109981867.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/b0963342-ad10-4b48-8c50-42d60b4873de/zifejogakinu.pdfIn PDF document text
- https://s3.amazonaws.com/jipowumat/jandy_aqualink_rs_control_panel.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/10ded312-95d0-4a5e-af6c-70a652103929/49361002308.pdfIn PDF document text
- https://s3.amazonaws.com/sajatofubote/83434591409.pdfIn PDF document text
- https://254a6a59-343e-4b7e-907c-c4819e171fff.filesusr.com/ugd/decf6f_2cf843a8348c44ad90e50616ed67257a.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/muvemasoxaji/joomla_templates_design_tutorial.pdfIn PDF document text
- http://tofujuwo.onlinewebshop.net/how_to_get_samsung_chromebook_out_of_demo_mode.pdfIn PDF document text
- https://45e41439-46a4-4c97-84f0-155cfeda4cef.filesusr.com/ugd/9d7ad9_cfc2a051ae19429eae75646f3fac0d89.pdf?index=trueIn PDF document text
- https://02274cc9-8b57-4441-be19-e46c089ec46b.filesusr.com/ugd/f11b8f_2cbcb588051f412c8e5e6ccdde3bc533.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fccb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFCCB | 6040 bytes |
SHA-256: ebc42f3ac40edc05e19451e1b2d00bfa776599bcac026ad11aaecf948b5ed3c5 |
|||
font_01_sfnt_off0001114d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1114D | 11560 bytes |
SHA-256: b43c3a54a8a5a769b54c3c2d20e08beae97460591b9f8a66ee0467c90cc8269a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.