MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample is a PDF file flagged by multiple critical heuristics as malicious, including a redirector link and a link farm. The embedded links, such as 'https://dafemum.ru/strik?utm_term=are+trs+benefits+taxable', likely lead to phishing sites or malware downloads. The document body, though heavily obfuscated, contains text that appears to be a lure related to taxable benefits, reinforcing the phishing pretext.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/strik?utm_term=are+trs+benefits+taxable In PDF document text
- http://avto-document.site/lower_calorific_value_of_fuels7bc61.pdfIn PDF document text
- http://itasda.online/caveat_application_format_in_marathi6na6o.pdfIn PDF document text
- http://nixejawoxakubi.22web.org/job_costing_spreadsheet_construction.pdfIn PDF document text
- https://nelunozulugekis.weebly.com/uploads/1/3/0/7/130739970/7901329.pdfIn PDF document text
- http://fresh-ita.space/59810014939l70qd.pdfIn PDF document text
- https://japozinoju.weebly.com/uploads/1/3/4/8/134847937/lapudowujatos-sogugisamamoko-baguba-jelimixotajukex.pdfIn PDF document text
- https://vukajikabazaxeg.weebly.com/uploads/1/3/4/7/134711597/0549d8dbe7561f.pdfIn PDF document text
- https://wirimodarezekas.weebly.com/uploads/1/3/5/3/135314182/totamago.pdfIn PDF document text
- https://piwevowukitibe.weebly.com/uploads/1/3/1/4/131454699/wexiwameja.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://43a2ba88-5de9-465b-b95f-6a4d82f2d06e.filesusr.com/ugd/dcbeda_aaf508d2a790467eb5fc6d4b31b3a5ee.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/mikibetiv/kaba_simplex_1000_handle_removal.pdfIn PDF document text
- https://5663e088-3595-439c-971a-5873693bee35.filesusr.com/ugd/e98895_4479168c078848b19f20d917572f49f2.pdf?index=trueIn PDF document text
- https://237a2310-9536-43ad-add1-fe73b840a51a.filesusr.com/ugd/8b319d_5af59b15fdc24bc8bdf9b3540077f95d.pdf?index=trueIn PDF document text
- http://sidokanema.epizy.com/snake_game_for_keypad_phone.pdfIn PDF document text
- https://s3.amazonaws.com/tawosutosuxi/booksmart_parents_guide.pdfIn PDF document text
- https://s3.amazonaws.com/donake/replacement_wheel_for_baby_trend_sit_and_stand_stroller.pdfIn PDF document text
- https://s3.amazonaws.com/xijalovelokolep/sagisukinekeboxit.pdfIn PDF document text
- https://s3.amazonaws.com/pisik/xatibegonilegub.pdfIn PDF document text
- https://d03ec42c-8b93-48d3-a61e-9aee396c0db4.filesusr.com/ugd/1e557c_9b9226ee2a3542dc8ffd0bb8ebf41843.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/polojuliragam/texas_health_and_safety_code_chapter_81.pdfIn PDF document text
- https://s3.amazonaws.com/wiremeresegikon/17_day_diet_cycle_2_food_list.pdfIn PDF document text
- https://s3.amazonaws.com/sonutopexaramuf/vampire_diaries_damon_and_elena_dance.pdfIn PDF document text
- https://dd91dc4b-d2fe-4aab-ab17-22023aa64d5b.filesusr.com/ugd/f05b1d_32d1c4c3d5fd4c09955c0b1c03deaaa5.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ff12.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFF12 | 4956 bytes |
SHA-256: 3e9846280c614cdfc6d2d17a9811de40364b0ef74806202aa5f81ec54454bdda |
|||
font_01_sfnt_off00011001.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11001 | 11276 bytes |
SHA-256: 2070534830bf89ae4ca5fefca23f2cf8ae7036a3b52b1d6675c94a8fe23c93b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.