MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains numerous links to external websites, many of which are identified as malicious redirectors or part of a link farm. The document body, though heavily obfuscated, appears to reference product names, suggesting a lure to trick users into clicking malicious links. The presence of multiple PDF links and a critical redirector link firing strongly indicates a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/strik?utm_term=husky+portable+air+compressor+model%2523+y1010 In PDF document text
- http://dfwshootersupply.com/maxinamanuxogufimagavenijk0bzl.pdfIn PDF document text
- http://blancop.xyz/motorcycle_diaries_che_guevara_quotes6j4yd.pdfIn PDF document text
- http://gelixovuxa.22web.org/1540623799.pdfIn PDF document text
- http://micrometerdigital.xyz/mulexixilofujowourvj7.pdfIn PDF document text
- http://callipakk2.site/26035441320shy2j.pdfIn PDF document text
- http://legendbilisim.com/719430497438qyyu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/3fc2f900-c48f-435e-867f-8a5885013b76/77116522310.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dce6a3d4-0424-4b8c-9d39-f2bd5c3bb602/how_to_perform_due_diligence_on_a_business.pdfIn PDF document text
- https://562c2315-396f-49d1-9e45-1236e049cb13.filesusr.com/ugd/ec0012_07496fc8c0e04a6a828c428f9b4b8f9c.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c880cb03-f106-4cfa-893c-949254d6d9c4/rodegexikafef.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7dc02b7b-61ad-4362-b835-a2d2568e95cc/breville_ice_cream_maker_best_price.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/75326f31-a025-4376-ae28-f4c8ee02797e/31249186570.pdfIn PDF document text
- http://bukogowimuko.epizy.com/birthday_video_songs_telugu.pdfIn PDF document text
- http://livukuxuperum.epizy.com/45025470661.pdfIn PDF document text
- http://fiwemigusa.rf.gd/rpg_mod_apk_android_1.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8b57932d-20e8-4f7e-9ed1-503c69ae168f/lodatiradoxaboripa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fef15c7e-0780-46c8-9f27-55a7136255a2/livibexarosifutu.pdfIn PDF document text
- https://71b4061d-0fbe-47a8-a671-08758978b022.filesusr.com/ugd/0216f2_4045fcdf2fff4a01b10b740a45316610.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/3757b451-5be1-4f61-a720-3b453e7c1877/fovezixuravukakuxosuku.pdfIn PDF document text
- https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_e7df117ff1f34ea5a0b78be1a9b7ca29.pdf?index=trueIn PDF document text
- http://sudewepizetego.epizy.com/gunorevapose.pdfIn PDF document text
- https://aa3bb5c3-2bd4-4791-9e2a-6e31d5009b04.filesusr.com/ugd/60e703_36f95ceb9ba84362bde277cb0531e72b.pdf?index=trueIn PDF document text
- http://gesulomesazisaj.epizy.com/38639043000.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012ae3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12AE3 | 5484 bytes |
SHA-256: 2227570b3535c4f59e784f3d1c4ff7066abf179a9adf366c3eae7026c1cbd9bb |
|||
font_01_sfnt_off00013d71.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13D71 | 11420 bytes |
SHA-256: 4a17e55f126b3fc170c477b6075ff569589f1edffac97825cd3c6ad300f419e6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.