MALICIOUS
304
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF contains numerous embedded links, with at least one pointing to a known malicious redirector. Heuristics indicate it's a link farm designed to lure users, potentially for credential phishing or to download additional payloads. The ML classifier strongly flags this PDF as malicious, and ClamAV also detects it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
MFA / one-time-code harvesting lure high SE_MFA_LUREDocument asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/strik?utm_term=how+to+port+my+phone+number+online+t+mobile In PDF document text
- http://nejamaranidirit.22web.org/vimeo_video_url_format.pdfIn PDF document text
- http://kalulib.iblogger.org/21573322560.pdfIn PDF document text
- http://freefire-gifts.com/korean_music_show_wins_2020zrgkf.pdfIn PDF document text
- http://afracheat4.xyz/minecraft_dungeons_update_reviewgr046.pdfIn PDF document text
- http://janexik.22web.org/show_me_a_map_of_prince_edward_island_canada.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://19e6fc83-c281-4d06-93fd-e8b16a02b90a.filesusr.com/ugd/ce5d00_b7b510cf1fe24e51b2df93cb77c991ba.pdf?index=trueIn PDF document text
- https://e668d0bc-6b9c-4787-ac64-5363b724ef62.filesusr.com/ugd/6ec699_6347f19b839b4b47a1c35b30a4ea6e6e.pdf?index=trueIn PDF document text
- https://d2d87fd5-5f4d-49aa-ab3c-2263ce4b5d22.filesusr.com/ugd/9169d2_8e462adf12264689975064b9bf97bdf3.pdf?index=trueIn PDF document text
- https://f1fb087f-5d49-4061-aa02-230b108315d3.filesusr.com/ugd/645068_fc40e51cd780451299e338af2033b495.pdf?index=trueIn PDF document text
- https://ac734925-007a-49fa-9a6b-2340142042ec.filesusr.com/ugd/ea78e0_acd2b768efa045edab981b9c500ada13.pdf?index=trueIn PDF document text
- http://bipedok.epizy.com/letasoft_sound_booster_para_android.pdfIn PDF document text
- http://jotikovan.rf.gd/79411449466.pdfIn PDF document text
- https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_2e89bc9796db4e11b44c42350bd2510c.pdf?index=trueIn PDF document text
- http://buvodadixasiz.epizy.com/wukerosajik.pdfIn PDF document text
- https://9a1eab6f-da2d-4a41-99bb-18a59f11b130.filesusr.com/ugd/c2b690_d832790c1f484b9aaab8058861ac38bd.pdf?index=trueIn PDF document text
- https://4b3b4da4-1145-40fd-8a04-0ac29766dab0.filesusr.com/ugd/6c6203_15aa088a33cc4007b71e4fc73aadd7be.pdf?index=trueIn PDF document text
- https://e5058785-d3d1-442e-b0ad-d0045053dde7.filesusr.com/ugd/17c622_df3b736c655d4571950024a9e3542fd6.pdf?index=trueIn PDF document text
- https://3c3b6f52-20a2-448a-be11-eec5930c502f.filesusr.com/ugd/0ca786_14e984222f3d4f9e822d6251511d2675.pdf?index=trueIn PDF document text
- https://45b0b119-5f8c-43e7-b437-4e12d17c1c81.filesusr.com/ugd/3826db_f2ba0f179b654f0f89166f26bc8db39a.pdf?index=trueIn PDF document text
- http://ninijoziwedef.rf.gd/the_magic_flute_music_box.pdfIn PDF document text
- https://6632aaff-1fe9-4f1d-acb3-7d444e457837.filesusr.com/ugd/ce4b7c_a5767652bef44fd8985562d6498f87cd.pdf?index=trueIn PDF document text
- https://d4996ccb-aecf-47c4-aab6-3c4fe022e1b7.filesusr.com/ugd/b7ed05_061f63668690471fa2804d4184b446ac.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f329.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF329 | 4968 bytes |
SHA-256: 1db331c49e237294a790a9df9a5ff5cc97d40cf0c69de5cff98cf013f52c893a |
|||
font_01_sfnt_off000103f6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x103F6 | 10828 bytes |
SHA-256: 8cb5c478754107484d682fb12b4b4c858d5e579bf7fd9ec5fb5ab345d874013c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.