MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains numerous embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK indicating redirection to known malicious infrastructure. The ML classifier and ClamAV also flagged the file as malicious, suggesting it's a phishing or trojan attempt. The document body is heavily obfuscated, but the presence of a malicious redirector URL is a strong indicator of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/wix?keyword=estudio+biblico+sobre+la+santidad+del+creyente In PDF document text
- http://localdesign.me/77735273234jgk7j.pdfIn PDF document text
- http://spencermcman.us/4376435175qmhf4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/45205341-8eb0-4c1d-a0c8-6f06be59efae/ap_stats_2016_frq_6.pdfIn PDF document text
- https://87da31d5-d184-45e7-a456-0ad082c8bd65.filesusr.com/ugd/55e94a_2ad733025ab64c4da3f854631fab08ce.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/58b50808-8872-4510-9d1b-a4b10572d78a/peacock_pencil_drawing_step_by_step.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b6530890-cb53-4d85-9c95-67d319d94b89/51601971708.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9f54023e-e1a5-4f0e-92cc-6e83ae8a96c0/dynaco_mk_iii_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b2d9d26f-ec70-47f9-a93a-4217f07c4f62/utopia_for_realists_nyt_review.pdfIn PDF document text
- http://xugonowelimije.epizy.com/44112554801.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5aaeca1c-6b7a-4bff-84d4-f6d586c446b1/51138663960.pdfIn PDF document text
- http://vokotikif.epizy.com/learn_chinese_online_best_course.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/adb1e336-7154-42ec-8ccf-aba9f2d522fd/programmable_logic_controllers_5th_edition_petruzella_solutions_manual.pdfIn PDF document text
- http://jipinasin.epizy.com/why_does_my_wifi_connection_says_no_internet_secured.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fc804ba9-d1ec-4d32-a1e7-484f33dc1479/peter_and_wendy_cast.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7860fdff-1efa-4218-9054-f5b8369d1588/zemomowikusotivegibipo.pdfIn PDF document text
- https://99442e0c-e188-470f-b1e9-a2082f9e7f28.filesusr.com/ugd/2274a7_77bb331462db4d488b08e174ca47a4ce.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6b814973-60a3-4f9b-b1e1-a735e7bc77af/stihl_chainsaw_ms_180_service_repair_manual.pdfIn PDF document text
- http://xubixetumed.rf.gd/sathuranga_vettai_2_movie_free_tamilrockers.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/03a5471f-ccb4-4c5d-a4a0-575707250358/mexakitogozagofedevexije.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe53.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE53 | 5132 bytes |
SHA-256: 1efee733350c73d24fe80f1de548dd7a9fcef29efe5e470f40255e8487588630 |
|||
font_01_sfnt_off00010fdc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10FDC | 10460 bytes |
SHA-256: 928140a99e561dda204d3d2ff965c21e1a7fbad02311f50da9916dd36811d254 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.