MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded links, many of which point to disposable hosting and redirector infrastructure, indicating a link farm designed to distribute malware or phishing content. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' strongly suggest malicious intent. The document body, though heavily obfuscated, contains a string related to 'hp elitebook 2560p bluetooth drivers download', likely a lure to entice users to click the malicious links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/strik?utm_term=hp+elitebook+2560p+bluetooth+drivers+download In PDF document text
- http://solent.bar/active_release_technique_muscle_knotswo1yt.pdfIn PDF document text
- https://gimeboxevamovuv.weebly.com/uploads/1/3/4/4/134494840/vizabupewop.pdfIn PDF document text
- https://tugalebuwe.weebly.com/uploads/1/3/4/0/134012885/lavedud.pdfIn PDF document text
- https://jubagidegugidok.weebly.com/uploads/1/3/5/3/135317658/2676f67bfa0c5.pdfIn PDF document text
- https://cdn.sqhk.co/ximegawaso/jhgcko5/podefifunosawugadu.pdfIn PDF document text
- https://cdn.sqhk.co/duwenaxiseve/AaZqTjh/bodaj.pdfIn PDF document text
- http://raisinslabs.club/93429179707ww80m.pdfIn PDF document text
- http://mediaverifiedbadge.com/ladorj0c39.pdfIn PDF document text
- https://xuvesebitewetok.weebly.com/uploads/1/3/6/0/136086761/613617.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://79d86aa2-23c4-4aa0-a0dc-c16ac59ae55d.filesusr.com/ugd/ecb701_af7ba53f63b143a89d7f339553f0a869.pdf?index=trueIn PDF document text
- https://203aa715-7352-46b1-b16b-5d0aeeaa27a2.filesusr.com/ugd/0582e0_007caf1f19014dcdb826eb2f0d41bb5c.pdf?index=trueIn PDF document text
- https://5bf49506-6ef1-42f8-8f90-7e3689255fd3.filesusr.com/ugd/8fe1bf_d85e757f76d84f14a3b444eab6ea780c.pdf?index=trueIn PDF document text
- https://13006a6e-9b3f-4191-9e3f-064114488741.filesusr.com/ugd/34464a_555c6034e1ed45369e58f2033281b8b8.pdf?index=trueIn PDF document text
- http://xugadizedema.rf.gd/22617570298.pdfIn PDF document text
- https://2a4065d7-883d-43e8-a524-7ce9aa4b4e88.filesusr.com/ugd/ccb1c6_55a0b2b51a354428ba6670ac768d11ee.pdf?index=trueIn PDF document text
- http://gapefixuwaxa.epizy.com/78533277970.pdfIn PDF document text
- http://rotirokarovul.rf.gd/bioassay_in_pharmacology.pdfIn PDF document text
- https://6ce95562-7558-49ee-a7b0-b3003db3b0e9.filesusr.com/ugd/d13e1f_b91e392d71f8462cac3069e0783aab88.pdf?index=trueIn PDF document text
- https://2978fa49-077f-489e-bef2-0e177375ffd3.filesusr.com/ugd/50ba8f_d35fe55d469d47168de94e908eca0c8e.pdf?index=trueIn PDF document text
- http://jilufadipubo.epizy.com/xabununopufazamimiji.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000edf5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEDF5 | 5916 bytes |
SHA-256: 9bc2369ffa9553510bc7c81cf6e21801ebc7a0a0e40f4738496ff4d29cc63bff |
|||
font_01_sfnt_off00010221.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10221 | 10704 bytes |
SHA-256: 5a382e8dc4cec1532d75eda47e6c3bef4272659d15af350e35dfb63b5c77ad4a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.