MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The sample is a PDF file flagged as malicious by ClamAV and an ML classifier. It contains a malformed stream and a critical heuristic indicates a link to known malicious redirector infrastructure at 'https://dafemum.ru/strik?utm_term=modern+information+retrieval+book'. The document body, though heavily corrupted, suggests a lure related to information retrieval or a manual, and a heuristic indicates the presence of a content-enable lure instructing the user to enable macros or editing.
Machine Learning
- Nyx PDF Classifier malicious score 0.8086
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/strik?utm_term=modern+information+retrieval+book In PDF document text
- https://static.s123-cdn-static.com/uploads/4407749/normal_5ff4c0ee3f570.pdfIn PDF document text
- http://adanakebap.org/dell_precision_m4600_manualrabj4.pdfIn PDF document text
- https://tafevivif.weebly.com/uploads/1/3/2/6/132682704/6750857.pdfIn PDF document text
- https://gigazubexu.weebly.com/uploads/1/3/4/6/134613152/4752088.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369150/normal_602f310ea8e44.pdfIn PDF document text
- http://cosmosqrab.online/jerirukuzee5izy.pdfIn PDF document text
- http://topsalon.xyz/does_stretching_relieve_sore_musclesu7rea.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4455901/normal_5ff772a0e721e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369158/normal_602e3c63b9b0b.pdfIn PDF document text
- http://urro-hu.com/luvefel7mymi.pdfIn PDF document text
- http://wolotalute.iblogger.org/boom_boom_dance_zumba.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4427274/normal_6017d65e815d0.pdfIn PDF document text
- http://brosbass.com/morejlxwma.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4382196/normal_5fd030bbc8882.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/legesiliv/libro_cerebrito_editorial_megabyte.pdfIn PDF document text
- http://sanonusujinuz.rf.gd/raliwuvekenabifuzijaf.pdfIn PDF document text
- http://zajoneforisomi.rf.gd/34208969443.pdfIn PDF document text
- https://s3.amazonaws.com/fakuguvil/pinugagajupixewiv.pdfIn PDF document text
- http://dajovomofoziso.rf.gd/avira_antivirus_for_pc_free.pdfIn PDF document text
- https://s3.amazonaws.com/vonusirukete/78443103422.pdfIn PDF document text
- https://s3.amazonaws.com/rovikibixu/61186431005.pdfIn PDF document text
- http://vutevesofu.rf.gd/endless_legend_guide_necrophages.pdfIn PDF document text
- https://s3.amazonaws.com/ginutu/android_software_in_order.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000696b9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x696B9 | 19408 bytes |
SHA-256: 043400a7369119c558e4b8f46b52bbf41a7da6e04f6060534513db0ed663ab9b |
|||
font_01_sfnt_off0006d057.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D057 | 5144 bytes |
SHA-256: 46e31390d48f2982ad0c60397893df3f3e1d9812b02d6605434e4010a08a665d |
|||
font_02_sfnt_off0006e1d8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E1D8 | 16296 bytes |
SHA-256: 5ce86db5d07e9962b796759a23c2c36f2cc6abee734ef8f6d81c3eea63d8cd51 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.