MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of embedded links, many of which point to redirector infrastructure. The document body, though heavily obfuscated, appears to contain keywords related to game cheats, suggesting a lure to trick users into clicking malicious links. The presence of PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics strongly indicates a malicious link farm campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/strik?utm_term=sims+3+pets+money+cheat+pc In PDF document text
- http://my-favshope.online/75716669909qsg3o.pdfIn PDF document text
- http://meetchat.space/what_does_rout_demons_meanqctu3.pdfIn PDF document text
- http://kkkirrreeee.space/mabolewomor8qzn8.pdfIn PDF document text
- https://wodosokereso.weebly.com/uploads/1/3/1/4/131407547/d4f9185bc3cdd56.pdfIn PDF document text
- https://bolumuratojepo.weebly.com/uploads/1/3/4/7/134749128/xibikug-luwatej-gageroru.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/gajabedafot/30751749411.pdfIn PDF document text
- https://329f26c8-0235-4118-8622-173d264d9cf1.filesusr.com/ugd/221f3a_8c39b680af3745e895663732f5862e4c.pdf?index=trueIn PDF document text
- http://safinemawexow.epizy.com/78764832880.pdfIn PDF document text
- http://medemamonolusav.rf.gd/47323190011.pdfIn PDF document text
- https://5366dd3f-28a3-4342-b8e5-5bed86455aec.filesusr.com/ugd/a92322_d17a66017ef441aeb16288c9a5d7fe93.pdf?index=trueIn PDF document text
- https://eaa62ee9-779c-4a2d-9f50-6c66b019a99c.filesusr.com/ugd/1cc777_ee5b40a9352241bc9aeb78b9bef15a1a.pdf?index=trueIn PDF document text
- https://8f0c9b82-9570-4081-bbb7-5e23a534ea09.filesusr.com/ugd/7008f3_e16757d8cd7046848e2429f7b46b8e29.pdf?index=trueIn PDF document text
- https://a12a05ab-6462-4855-b086-b0a2a961d6d8.filesusr.com/ugd/2c76f4_02a5ff39f6e749f7b2be85846092dfd6.pdf?index=trueIn PDF document text
- https://59e5a08b-0d8d-455f-a3a7-35a3b781ab3e.filesusr.com/ugd/784815_f26ecd73606f4e0e9d5ae4269ff62242.pdf?index=trueIn PDF document text
- https://8e0cabef-d481-4215-b437-8a5fc4e4723c.filesusr.com/ugd/f41140_2359218763ed49b789de2dcddf4640b0.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/sitozi/gozagupirudobodixek.pdfIn PDF document text
- https://1482387f-61d8-47e1-b538-9b7f1e8b89fb.filesusr.com/ugd/538d67_f7ed68ff125c42678ee1b6dc5d07f8c9.pdf?index=trueIn PDF document text
- https://123949be-7110-4ba3-a240-a7df06fb38ce.filesusr.com/ugd/80fd5d_f7330350d49f4c6d9eb5282447b05952.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f7e5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF7E5 | 5416 bytes |
SHA-256: c9a0a11b61e7040839faab42aa39e0389baa8232e5d8b610e7653636d727e3fd |
|||
font_01_sfnt_off00010a35.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A35 | 11652 bytes |
SHA-256: 01b55b035e799d9a18a0725995fb15d752e553e224b21f8e92e07eb88a5e9698 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.