MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF contains a critical heuristic firing for a malicious redirector link impersonating Microsoft, indicating a credential phishing attempt. It also contains a link farm heuristic, suggesting it's part of a larger SEO manipulation scheme. The embedded URL points to a redirector that likely leads to a malicious site or payload download.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://fidevawane.weebly.com/uploads/1/3/0/8/130814252/4a8d5db.pdf.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gettraff.ru/wb?keyword=factoring%20perfect%20square%20binomial%20worksheet In PDF document text
- https://fidevawane.weebly.com/uploads/1/3/0/8/130814252/4a8d5db.pdfIn PDF document text
- http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://s3.amazonaws.com/vufuzewasi/section_20.4_electronic_devices_worksheet_answers.pdfIn PDF document text
- https://s3.amazonaws.com/dadupawo/51890142608.pdfIn PDF document text
- https://s3.amazonaws.com/kawotexulozax/yiruma_easy_piano.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/898390fa-77ff-4483-9240-4603d164a2d6/65326798957.pdfIn PDF document text
- https://s3.amazonaws.com/lanorolowu/riscos_ambientais_no_ambiente_de_trabalho.pdfIn PDF document text
- https://s3.amazonaws.com/mijedusovineti/74822692297.pdfIn PDF document text
- https://s3.amazonaws.com/mutirexa/catskills_hiking_map.pdfIn PDF document text
- https://s3.amazonaws.com/jedaxopopuko/rotegud.pdfIn PDF document text
- https://s3.amazonaws.com/gorajikunobixi/gopozoliz.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fa4b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA4B | 3384 bytes |
SHA-256: e93ba6038b410302e1d7eaf9d9d8583c154568a49cd971aab5376f2569b2e4f3 |
|||
font_01_sfnt_off000107a8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x107A8 | 5688 bytes |
SHA-256: 099092e9caffc97e8c1b8d954ff13eafb5d5b1c439765bbf8c03b3fcd382ceb0 |
|||
font_02_sfnt_off00011ae6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11AE6 | 10972 bytes |
SHA-256: fd6fab9b7f1421eeefb848b8bc14044d212d46489336638e497b8f0bc48d6a7b |
|||
font_03_sfnt_off00013feb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13FEB | 16084 bytes |
SHA-256: 249651805b0a8f5b4743f17da7e3943b18be49f9c75a96c0f18a2f62b87e55bb |
|||
font_04_sfnt_off00015497.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15497 | 4324 bytes |
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.