MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'cross-platform meaning synonyms', likely a lure to disguise the malicious intent. The presence of numerous links and the ML classifier flagging it as malicious strongly suggest a phishing or redirection campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9673
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/123?utm_term=cross-+platform+meaning+synonyms In PDF document text
- https://static.s123-cdn-static.com/uploads/4505102/normal_5ff226ed81d1e.pdfIn PDF document text
- https://puxofigu.weebly.com/uploads/1/3/5/3/135347112/xavezute-kupulude-bobagulaxi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4443819/normal_601100b28bad4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4414360/normal_602204f249560.pdfIn PDF document text
- https://lifitexuga.weebly.com/uploads/1/3/4/3/134356919/javudonewarosepuvuja.pdfIn PDF document text
- https://ralerafuzirepob.weebly.com/uploads/1/3/4/3/134386916/fezemafoxuvigaje.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4402936/normal_5feeaf40ac715.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://fedorahosted.org/lohitIn PDF document text
- http://www.opentle.orgIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://fd0ef26f-7b8f-4c91-b3b2-19f7ec93487a.filesusr.com/ugd/4174bf_5725c7ae3e5b4b83a595d04763666561.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/6b2fb2fe-a490-468a-8607-1658af96978e/kedofigetetapeko.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/83a9d313-480c-4ab2-907c-69376516f23a/fibabovofaguxewulabin.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1db84d72-6758-41d9-b8a9-608d7170a67a/godefurozer.pdfIn PDF document text
- https://9b08d158-0e0f-4203-9b31-e1272d977b1c.filesusr.com/ugd/086daf_bc961680170b483a93a1023f558f3d29.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/3a02ef8b-bb74-417f-817f-c97c1b22124c/vuwevomupetev.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/aae517ec-f627-48c1-aab5-a58ad4db410c/how_to_learn_italian_fast_and_easy.pdfIn PDF document text
- https://6d23287f-a15b-43b7-8d69-700c0e01f504.filesusr.com/ugd/185c00_ebb109b64d314c178f6cf18854302f34.pdf?index=trueIn PDF document text
- https://c69a8150-bb1e-4c46-878b-fc1622391bd7.filesusr.com/ugd/cf91d6_5b9c910d58ac41ef963d4a7dd3ef298a.pdf?index=trueIn PDF document text
- https://97d49ff2-d914-4ae4-8ac8-5e5cf5f77cad.filesusr.com/ugd/6350c7_f09d690cacc24b66ba84adf31024337c.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/0bc61b1f-950c-43ce-b747-2db9f1df42ea/what_is_the_weight_of_diesel_fuel_per_litre.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/048a8276-8f14-40fe-b722-1c23e0034545/romuxefebe.pdfIn PDF document text
- https://8035c368-62b5-4e0f-b07c-73fd2baf85c9.filesusr.com/ugd/2ee8d4_687944ccdfc240148d0b53af23e3021e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/cafe27fe-0237-4617-9387-4c601b4799f1/87826777514.pdfIn PDF document text
- https://fbaba6ab-37cf-477f-82bd-e10a416eccda.filesusr.com/ugd/3c8574_0cf1383da76542a7881b5b3875a9543a.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_010_off00016449.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x16449 | 18176 bytes |
SHA-256: 9a53eb0f5d899206140142024e1329928d04523b9b037af6ea44b3d64dff0b7c |
|||
font_00_sfnt_off0000ddc3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDDC3 | 5684 bytes |
SHA-256: d9df6945b54372b4ce1b038b385752c5e534dd56f39eb70cfae60a2504a527db |
|||
font_01_sfnt_off0000f19f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF19F | 5168 bytes |
SHA-256: 1ef985f10a7686533a825f14dffa53f85312406fe9ef68d737e855d04e668ee9 |
|||
font_02_sfnt_off00010325.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10325 | 2656 bytes |
SHA-256: dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5 |
|||
font_03_sfnt_off00010e29.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10E29 | 2328 bytes |
SHA-256: 864cbe2c6973b44d2b71e19ffbffb2328dcb3759b07ceb43c11d5a372fc4956d |
|||
font_04_sfnt_off000118df.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x118DF | 2108 bytes |
SHA-256: d117309382da938f7dffedc42f90dd4217b4d540d75629b80669d975ecbc171e |
|||
font_05_sfnt_off000122aa.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x122AA | 6640 bytes |
SHA-256: 538512be6c526ea957b587fa229624d829dca4873b622d187784a60d2c877fcd |
|||
font_06_sfnt_off00013448.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13448 | 15672 bytes |
SHA-256: 02bb9009d0f7d3f59d5386f8195642f5a94b0be4c6aae7165a0f5dbb2e6f70fa |
|||
font_08_sfnt_off000180dd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x180DD | 4324 bytes |
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
|||
font_09_sfnt_off00018ee8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18EE8 | 3276 bytes |
SHA-256: c12c670e310cd2dd0f4b1ea6ea0d01ef35e1284caa1cfc967b978b02bd897c09 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.