MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF file contains a large number of embedded links, many of which point to disposable hosting and redirectors associated with malicious activity. The heuristic firings indicate a link farm designed to lead users to malicious sites, with one URL specifically identified as a known malicious redirector. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9983
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/strik?utm_term=selenium+testing+tutorial+for+beginners In PDF document text
- https://ritosigom.weebly.com/uploads/1/3/1/4/131453630/bulemizoxofoduzeli.pdfIn PDF document text
- https://jijovozezara.weebly.com/uploads/1/3/1/1/131163872/1d166.pdfIn PDF document text
- https://dijujuvosidig.weebly.com/uploads/1/3/0/8/130873718/jupobixo-zebaw.pdfIn PDF document text
- https://ledobosu.weebly.com/uploads/1/3/1/3/131383424/dabujijazo.pdfIn PDF document text
- https://jewelilug.weebly.com/uploads/1/3/4/3/134331877/827524.pdfIn PDF document text
- https://bamutemo.weebly.com/uploads/1/3/2/6/132681362/3386052.pdfIn PDF document text
- https://rusipamisu.weebly.com/uploads/1/3/4/0/134017355/d567b.pdfIn PDF document text
- https://xinotetul.weebly.com/uploads/1/3/5/3/135351743/womapan.pdfIn PDF document text
- https://pepigapipewoma.weebly.com/uploads/1/3/4/0/134000130/cce2586b84bb.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://4b3b4da4-1145-40fd-8a04-0ac29766dab0.filesusr.com/ugd/6c6203_8a3471c72f0b4f0db6cdd20bcef9d9a0.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/46314cf4-c382-43b4-839f-340f2adeeda3/rotinuwoka.pdfIn PDF document text
- https://a86a6b26-b473-4b55-b9aa-7628a2bff077.filesusr.com/ugd/4f270c_0b513b95d5984fb08ecd276834fe6f26.pdf?index=trueIn PDF document text
- https://c301b42c-deab-4116-afcd-a09dd0728425.filesusr.com/ugd/4bb894_1b2439c032254284a10c1adc2c7ddcf1.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c99d94a1-b0cb-4c67-abed-dfc7d9c60e66/blackjack_rules_5_cards.pdfIn PDF document text
- https://85d2c5a2-fc31-4f76-86b4-4ebe2abe2bf4.filesusr.com/ugd/a8cc01_d588d190962045f093796cae1c37deed.pdf?index=trueIn PDF document text
- https://336ddc11-c37d-4cd6-9685-7accad2975f7.filesusr.com/ugd/479fa9_5c343c3c9bbb4f6c92b847e0d30a0707.pdf?index=trueIn PDF document text
- https://c3d762b3-5d50-4891-ab6d-43710edd2423.filesusr.com/ugd/3254bf_c6c9a4f8074c4226a5ed6dece9eb0f9e.pdf?index=trueIn PDF document text
- https://0296ecfc-28ae-4fa5-925c-67a25994cace.filesusr.com/ugd/c88839_c6c869772b7c4cefa1e68f71a87aa70a.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/a98f699c-4b84-4f84-a78c-34a06bb1574d/how_many_umbrella_academy_comic_books_are_there.pdfIn PDF document text
- https://79e5ec13-148a-49e7-9308-7b7844992bd9.filesusr.com/ugd/1d149b_bf1e7be24f5546daab2b7b30ebe21b07.pdf?index=trueIn PDF document text
- https://48b7024d-7414-4593-b44d-ed892b96ad15.filesusr.com/ugd/3e5db3_ac1de79c01e540b4badbcd9c08ea82f6.pdf?index=trueIn PDF document text
- https://95a57b4d-a24c-4412-bd87-88f4f885d252.filesusr.com/ugd/011e4b_46e2cc71a66943d984de2fd6b98d2a5c.pdf?index=trueIn PDF document text
- https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_a8feb6a32fc14691ab2a4a880aea1207.pdf?index=trueIn PDF document text
- https://78f121e6-5824-477f-9480-4bf23eba804c.filesusr.com/ugd/9564ad_4621a31d4a0c49e7a6624e6d802cb847.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e998.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE998 | 5212 bytes |
SHA-256: 4a213789a290205a8f694d471a00d05166cccfd2eee1deaf3c414f11b5efe32c |
|||
font_01_sfnt_off0000fb26.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB26 | 3080 bytes |
SHA-256: f5ab97b6c4959e639d4bf0aab23e1338b1c0ffbd1d785b5ae51cd7f11bf127d3 |
|||
font_02_sfnt_off000107ee.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x107EE | 10892 bytes |
SHA-256: a84c4993f26ddb47a448d6428f8bbecdee278dbb31cde4369545114ddb04ecca |
|||
font_03_sfnt_off00012cda.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12CDA | 4324 bytes |
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.