MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF contains a large number of links to external websites, many of which are hosted on disposable domains and point to redirectors. The document body, though heavily obfuscated, appears to be a lure related to game mods. The presence of PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics, along with ClamAV detection, strongly indicates malicious intent. The primary attack pattern involves luring users to malicious sites via a link farm, likely for phishing or malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/strik?utm_term=fallout+4+unlimited+settlement+size+mod+pc In PDF document text
- https://xuvosaxefon.weebly.com/uploads/1/3/4/6/134605895/8559082.pdfIn PDF document text
- https://rejukikigukaw.weebly.com/uploads/1/3/5/3/135387704/vinibipopusoka.pdfIn PDF document text
- https://zuzameponotu.weebly.com/uploads/1/3/1/6/131606203/surefalanel_fusuwij.pdfIn PDF document text
- https://pijolonaponezu.weebly.com/uploads/1/3/4/8/134879261/dec4874721044e6.pdfIn PDF document text
- https://kejarokelevu.weebly.com/uploads/1/3/5/2/135297316/bivifob.pdfIn PDF document text
- https://wolapegod.weebly.com/uploads/1/3/0/7/130776073/1110130.pdfIn PDF document text
- https://miluxeto.weebly.com/uploads/1/3/5/3/135326788/4db7d1af14.pdfIn PDF document text
- https://dimomivij.weebly.com/uploads/1/3/4/5/134504604/4035154.pdfIn PDF document text
- https://vagaletufuwowi.weebly.com/uploads/1/3/2/6/132681464/7307611.pdfIn PDF document text
- https://xebejadeveroj.weebly.com/uploads/1/3/0/9/130969735/tufusobukefuzi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/lezerawe/consolidated_balance_sheet_of_nestle_2017-_18.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cb5382e9-6f27-4e09-a004-22a18d454360/denawetimix.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a4fe984c-ffaa-4ffc-ac29-2fbccd4eb938/77726460910.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8923b249-cdff-4081-96c3-16aeaa1c194a/44576063321.pdfIn PDF document text
- https://s3.amazonaws.com/venunamazozuzo/mutiza.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8824676f-9d7e-4595-98bc-06d94962ada1/fugojip.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f8abc299-1568-4e40-ade4-5ba528e0680f/75713291153.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/28fea622-1b69-4208-a6f3-88dc9e86dce5/what_is_the_recall_on_samsung_washing_machines.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e8993a63-e03d-4c7f-a22b-40dcc12ddf61/rofopofoxekeb.pdfIn PDF document text
- https://s3.amazonaws.com/warapagefasovi/2380201479.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe07.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE07 | 5216 bytes |
SHA-256: 3d3ea390fed6d378d2e0c014eb1058ba77af233ee26c5a554795b5e454454db7 |
|||
font_01_sfnt_off00010fc8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10FC8 | 11612 bytes |
SHA-256: 056e869892e1fcc458a6c4a49f1fe4d69bc00d5814209b2f7eb03ef3a888386c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.