MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a single image designed as a lure, with a critical heuristic firing indicating it links to known malicious redirector infrastructure. The ML classifier also flagged the PDF as malicious. The embedded URL, https://yafferge.ru/aws?utm_term=who+goes+first+after+go+in+cribbage, is the primary indicator of malicious intent, likely leading to a phishing or malware download page. No scripts were extracted, but the PDF structure and URL are sufficient indicators of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.8907
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LUREPDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 58 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/aws?utm_term=who+goes+first+after+go+in+cribbage
- http://dipugipedanam.sportsontheweb.net/sewa_self_appraisal_form.pdf
- https://cdn.sqhk.co/noperizapewo/bsRAgfu/dawnblade_pvp_destiny_2.pdf
- http://nutusugeralinet.mypressonline.com/53683241583.pdf
- http://tigibisolefora.mygamesonline.org/30907576199.pdf
- https://cdn.sqhk.co/tenalewi/jeibzOD/mometimokutewofejelun.pdf
- http://nitiwomifigurod.mygamesonline.org/academia_de_vampiros_5_download.pdf
- https://cdn.sqhk.co/gufulixofoma/inx71Ls/insurance_agency_website_template_free.pdf
- http://lerumedinopox.onlinewebshop.net/konovojoset.pdf
- https://0306adf0-382e-42f1-903d-71c3961c97f1.filesusr.com/ugd/7ff653_c5fd0df1063d4f079e2e4b9dbe5896c9.pdf?index=true
- https://650c977b-0274-48a2-8498-43c0efc39f4e.filesusr.com/ugd/dbad32_548744cd522e4ef4be3866fad87060d6.pdf?index=true
- https://uploads.strikinglycdn.com/files/38088ff6-c894-4a11-8984-9842f887577f/lirasafuku.pdf
- https://8fc1c2d6-49ba-4d63-8b95-0327ef2b1627.filesusr.com/ugd/1849a1_fb85ae2420b04ab6aac182017f546ac1.pdf?index=true
- https://uploads.strikinglycdn.com/files/fd6c1ce7-1f19-4070-9fc6-1d8b4803ca21/how_to_get_my_newborn_on_a_sleep_schedule.pdf
- http://tediguku.atwebpages.com/kamelubuvudesidazivevekav.pdf
- https://uploads.strikinglycdn.com/files/8c310966-9dee-4968-8259-f399cba108d5/cuanto_es_1_metro_en_pies.pdf
- https://203aa715-7352-46b1-b16b-5d0aeeaa27a2.filesusr.com/ugd/0582e0_8129588d43654d17bccbd4146a670b71.pdf?index=true
- https://uploads.strikinglycdn.com/files/15768216-1d5c-436d-92a8-93f311ce81ae/the_expanse_season_5_episode_7_synopsis.pdf
Open this report in the interactive analyzer, or submit your own file for analysis.