MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.007 JavaScript
The PDF contains numerous embedded URLs, with a critical heuristic firing indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, suggests a lure related to 'redox potential'. The presence of multiple links hosted on disposable domains and the ML classifier's high confidence score strongly indicate a phishing or redirection attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/strik?utm_term=how+to+find+redox+potential In PDF document text
- http://pshcomonhere.xyz/58138004147t745i.pdfIn PDF document text
- http://saganofodevuset.22web.org/5216374738.pdfIn PDF document text
- http://sovetnik53.ru/mariage_damour_piano_partitionkcllk.pdfIn PDF document text
- http://appletopshop.ru/rubalofbgxvd.pdfIn PDF document text
- http://sokfresh.fun/glitch_cam_pro_apk_premium_2020tw2yy.pdfIn PDF document text
- http://pegoluzalep.22web.org/56992387139.pdfIn PDF document text
- http://levantemosaic.com/844700512940opna.pdfIn PDF document text
- http://kovefubiwajulo.22web.org/xozukupepobeluzun.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/08e74387-c52e-4134-8e2e-3b2b7a8ce41f/30540113040.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8cc38817-3a40-4550-8997-09fe7ea0488c/how_to_use_cen_tech_battery_charger.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3f675216-c0ee-446d-a2f6-55d4d1501495/34700504199.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8c14ba2b-954c-41e7-957c-77ef26cd6ac2/onkyo_tx_sr705_factory_reset.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/64a45cd7-9773-4e6f-a572-2311cebbef99/68951972126.pdfIn PDF document text
- http://gumigojozupe.epizy.com/aeronautical_engineering_colleges_in_maharashtra_list.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f2a5bd31-5182-4dea-9dd8-ee786c5b1eeb/38330714045.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/05d33f8c-0951-4bf1-ac47-83d3d4a98a13/polar_ft60_battery_replacement.pdfIn PDF document text
- http://bugixud.epizy.com/a._b._s._t_full_form.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9e73adb2-3354-4dd4-b25c-4c6cb565ba0b/gixat.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f0483cb6-9543-4fa6-9044-f80f98b42c22/what_are_the_five_major_modes_of_action_for_antibiotics.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8369b50d-e7be-4913-9632-dabce9554922/gigudixurenefedojuwelar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1c4e3987-63c9-410c-8cc3-989e3c90a280/kemebibigujubikokematok.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f8c8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF8C8 | 4768 bytes |
SHA-256: 3e9cb6fc959df796361c4b2a036fd0ee80dc1162efa90266a7f9257dc4fccb72 |
|||
font_01_sfnt_off0001090c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1090C | 11612 bytes |
SHA-256: af4429f21cc6ce1e8e42a2f27ad52da6f498e021effbd5318179cbfe90c589b5 |
|||
font_02_sfnt_off000130c8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x130C8 | 4324 bytes |
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.