MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a significant number of embedded links, with many pointing to external PDF files hosted on disposable domains. One critical heuristic indicates these links are part of a malicious redirector infrastructure. The ML classifier also flagged this PDF as malicious, and ClamAV detected it as a phishing trojan. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the link farm strongly suggests a phishing or SEO manipulation attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/award?keyword=treatment+case+study+pdf In PDF document text
- https://xedasijaw.weebly.com/uploads/1/3/1/4/131453620/e2b2c1eb622ba1d.pdfIn PDF document text
- https://kezeminitiwo.weebly.com/uploads/1/3/4/4/134476020/fb69f3174.pdfIn PDF document text
- https://rakawixedisika.weebly.com/uploads/1/3/5/3/135324789/ferabug_pafofozididut_kofewakoku_sefawavutunevig.pdfIn PDF document text
- https://dipediras.weebly.com/uploads/1/3/0/7/130739778/47f1627417aa1dd.pdfIn PDF document text
- http://kefipipina.22web.org/radifeweg.pdfIn PDF document text
- https://taxamoxegira.weebly.com/uploads/1/3/4/8/134895948/512843.pdfIn PDF document text
- https://bepagiji.weebly.com/uploads/1/3/4/3/134352373/6466894.pdfIn PDF document text
- http://bewaniv.22web.org/first_aid_2018_google_drive.pdfIn PDF document text
- https://mulokigapasol.weebly.com/uploads/1/3/1/0/131070847/jumipuzatumofepib.pdfIn PDF document text
- https://bopevifobomamak.weebly.com/uploads/1/3/0/8/130814579/d44e5cb22.pdfIn PDF document text
- https://kozewofedira.weebly.com/uploads/1/3/4/8/134899359/meloxetikolid-fevumazidexinam-nazuliwak-wipun.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://f803bf1b-e1c2-47f6-a41f-c9785c88fbd4.filesusr.com/ugd/bf07b1_fac49ea517784b3183114ef4ca602973.pdf?index=trueIn PDF document text
- https://3d7304b5-8527-495f-b913-615d6f357a43.filesusr.com/ugd/ef7486_3f975dce7b3a4b18a268ba58aed717b6.pdf?index=trueIn PDF document text
- https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_c3b137292b7846ff8b7da53ad81dab5c.pdf?index=trueIn PDF document text
- https://57eba762-b826-4879-8d7a-7f480aba2934.filesusr.com/ugd/e89c2b_48d0dc18be054fc2a0ccfac347595ae9.pdf?index=trueIn PDF document text
- https://1b6fbac1-9b66-4609-9151-81f5d4c316f7.filesusr.com/ugd/5e81b9_a756d31917eb4fbf93c2095fcb4f5b7e.pdf?index=trueIn PDF document text
- http://fonivez.epizy.com/cateye_velo_7_manual_portugues.pdfIn PDF document text
- http://lavodusepigixu.rf.gd/radeseputadejif.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dcd6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDCD6 | 5320 bytes |
SHA-256: 4e1416cc4c40245e415eb5da9ef271e1311b587a47a0b51afe6ed184ccbeec92 |
|||
font_01_sfnt_off0000eedf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEEDF | 10764 bytes |
SHA-256: adcd7c914dc63fc68bc47993905dfd7d27ff5903b81e460233a39cf96a113f53 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.