MALICIOUS
132
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded links that point to a known malicious redirector. This indicates an attempt to lure the user to a malicious site, likely for phishing or to download further malware. No scripts were extracted, but the presence of redirector links is a strong indicator of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9982
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://botcraftman.ru/?lip&keyword=%D0%BA%D0%BE%D0%B4+%D0%B0%D0%BA%D1%82%D0%B8%D0%B2%D0%B0%D1%86%D0%B8%D0%B8+%D0%B4%D0%BB%D1%8F+%D1%84%D0%B8%D1%84%D0%B0+13+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8 In PDF document text
- http://fastpic.ru/In PDF document text
- http://www.liveinternet.ru/clickIn PDF document text
- http://img0.liveinternet.ru/images/attach/c/6//4304/4304458_root_explorer_219_skachat.pdfIn PDF document text
- http://img0.liveinternet.ru/images/attach/c/6//4304/4304437_klyuch_dlya_avast_internet_security_601000.pdfIn PDF document text
- http://img0.liveinternet.ru/images/attach/c/6//4304/4304460_skachat_minecraft_1_7_2_na_android.pdfIn PDF document text
- http://www.microsoft.com/typography/fonts/In PDF document text
- http://www.microsoft.com/typography/fonts/YouIn PDF document text
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00024010.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x24010 | 3556 bytes |
SHA-256: 880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281 |
|||
font_01_sfnt_off00024d93.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x24D93 | 14912 bytes |
SHA-256: a20a552d37ccda3721a161f08befa2f9c8dc9a177731378d19e4561561ac019a |
|||
font_02_sfnt_off00027bbc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27BBC | 14468 bytes |
SHA-256: a8e34466c77775282ff35936152e77d2d006e6251a28fa13b9eb6049a2645024 |
|||
font_03_sfnt_off0002a667.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2A667 | 7016 bytes |
SHA-256: d7d7cfb2f0012352d54904bd74c983b0b7931be08a615834a75f7e3421821615 |
|||
font_04_sfnt_off0002baba.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BABA | 6084 bytes |
SHA-256: 819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3 |
|||
font_05_sfnt_off0002ca4f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2CA4F | 3752 bytes |
SHA-256: 9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.