MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was flagged by multiple heuristics as malicious, including a critical alert for linking to known malicious redirector infrastructure. The embedded content, though heavily obfuscated, appears to contain text related to 'hacked unblocked google sites', suggesting a lure to phishing or malware distribution sites. The presence of numerous embedded URLs, many pointing to unknown or suspicious domains, further supports this attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/wix?keyword=run+3+hacked+unblocked+google+sites In PDF document text
- http://form-lnstagramverificationbadge.com/sat_math_concepts_review80vtv.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420013/normal_6010d6a6b2468.pdfIn PDF document text
- http://abreudesigns.com/an_inspector_calls_amazon_trailergbzqh.pdfIn PDF document text
- https://mojoranazo.weebly.com/uploads/1/3/4/4/134403481/9837275.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4385014/normal_5fdd924982a01.pdfIn PDF document text
- http://jushq.pro/zaludijaxufuzomifikikegi028q8.pdfIn PDF document text
- http://circulshtangcalip.website/class_12_physics_solutions_in_hindi_downloadyvcwx.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367625/normal_600a5501d6da1.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4477878/normal_604b378e26779.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4443325/normal_606301b105155.pdfIn PDF document text
- https://watuxiso.weebly.com/uploads/1/3/2/7/132740831/gukawob-doxafi.pdfIn PDF document text
- http://coolvdomaion.online/43797920434jsljs.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4372963/normal_5fca938840e65.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4411252/normal_5fdf86d485ac8.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/a6c7b12e-cc7b-4ea2-8f73-ead4c6bbedc0/what_does_a_hotel_operations_manager_do.pdfIn PDF document text
- https://s3.amazonaws.com/norozovijalu/select_find_text_word_vba.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d76b92b7-fd69-4637-98c5-eb091429ff0a/96844637999.pdfIn PDF document text
- https://s3.amazonaws.com/sojaxub/xotuladatez.pdfIn PDF document text
- https://s3.amazonaws.com/metubevozisul/sozovadurur.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bafd3602-0cf2-4afd-99fc-b9532c9e7dec/39728856810.pdfIn PDF document text
- https://s3.amazonaws.com/jagux/free_torch_browser_for_macbook_pro.pdfIn PDF document text
- https://s3.amazonaws.com/tujeviwakirawu/zujosakeboduk.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/64f1f784-8e1f-4c42-bb44-976f876680a5/23795843182.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ecb2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECB2 | 5360 bytes |
SHA-256: cede855156dff0b158afe3ce47334d902aa0eb327b6846a15d2dcf40192ffc06 |
|||
font_01_sfnt_off0000fedf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFEDF | 10596 bytes |
SHA-256: c89fb929ff9be0f3dd4bc98e832d13c6dcbfda9b3ddeb5046cfc2cf8a0d8dac9 |
|||
font_02_sfnt_off000122f4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x122F4 | 4324 bytes |
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.