MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged as malicious by multiple heuristics, including a critical finding for linking to known malicious redirector infrastructure and a PDF link farm. The ML classifier also indicated a high probability of maliciousness. The embedded links suggest an attempt to redirect users to phishing sites or download further malware, aligning with spearphishing tactics.
Machine Learning
- Nyx PDF Classifier malicious score 0.8904
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/strik?utm_term=what+does+tenth+mean In PDF document text
- http://kavozama.22web.org/xejutivi.pdfIn PDF document text
- http://lojisaka.22web.org/systems_of_inequalities_word_problems_worksheet.pdfIn PDF document text
- https://cdn.sqhk.co/sejiragidu/PIjfii7/android_analog_modem_app.pdfIn PDF document text
- https://cdn.sqhk.co/valibekarofu/6WjeFMp/scrambled_words_list_with_answers.pdfIn PDF document text
- http://powogole.iblogger.org/pusexorimokutewerigi.pdfIn PDF document text
- https://cdn.sqhk.co/ximegawaso/jeUidja/talivobo.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://fedorahosted.org/lohitIn PDF document text
- http://www.opentle.orgIn PDF document text
- https://s3.amazonaws.com/devuxuzejozam/wikibotimitovejarilasene.pdfIn PDF document text
- https://s3.amazonaws.com/xoguwavosuje/lumivarevewosun.pdfIn PDF document text
- https://s3.amazonaws.com/feseni/82114191406.pdfIn PDF document text
- https://081e7fb2-604d-424b-9b75-a58d54a71a44.filesusr.com/ugd/abd6ea_1b8a19def84a46b7b4fa3c99cb79cfdd.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/rikolesafuwofar/29464229435.pdfIn PDF document text
- https://9e6c4f0b-3406-4274-bf8a-5be7f948d240.filesusr.com/ugd/45c6ff_07b282847a6244e9ae8edd61e330b1d8.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/fifomi/32227243544.pdfIn PDF document text
- https://e082cb0d-9c22-4a21-acb7-e2c6127a51d3.filesusr.com/ugd/ff0c06_a60d42b146a843d59204ee53175e7a5b.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/xipavir/railroaded_richard_white.pdfIn PDF document text
- https://s3.amazonaws.com/taturi/the_constitution_preamble_worksheet_answers.pdfIn PDF document text
- http://xugezibefita.epizy.com/nonivemisorokomuxi.pdfIn PDF document text
- https://s3.amazonaws.com/zabejuvijolu/performance_appraisal_system_in_india.pdfIn PDF document text
- https://9a60fab3-6fb0-4be7-9305-b2e3cc44d963.filesusr.com/ugd/811c4f_25c1d2011f9544fe9cefacad5170b192.pdf?index=trueIn PDF document text
- https://12350a4d-732a-4148-85a7-4fa27f2a77ec.filesusr.com/ugd/17beed_7bdcde5eb2b74b919c30dc52c4c05ac1.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/lixuduwonifa/tumadifimituxun.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
- http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
- http://www.gnu.org/licenses/lgpl.htmlRegularDanhHongIn PDF document text
- http://www.geocities.com/dnhhngIn PDF document text
- http://sinhala.sourceforge.net/In PDF document text
- http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
- http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
- http://scripts.sil.orgIn PDF document text
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_013_off0001c88e.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1C88E | 20644 bytes |
SHA-256: e26f6691e4c1f00dd93fdb231e292833b1af608e1b8cf371db555f002283ff06 |
|||
font_00_sfnt_off00010392.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10392 | 6580 bytes |
SHA-256: 14cc0ab35edac3aa26ab017a4a96aa5634b6061d7b36d58dbe4bc653bfaac54b |
|||
font_01_sfnt_off00011a4c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A4C | 4948 bytes |
SHA-256: 37ce13f6f7058a10d2cd26f58506ac15da4cea261fad3d10a14fb72b9e629e45 |
|||
font_02_sfnt_off00012b02.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12B02 | 2656 bytes |
SHA-256: 1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178 |
|||
font_03_sfnt_off00013607.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13607 | 4176 bytes |
SHA-256: feba5af61c7c4d8b8b2df107262d80a1cdac3fa85aae056ddb10e20dc5b20c43 |
|||
font_04_sfnt_off00014344.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14344 | 4556 bytes |
SHA-256: 1fd01345b7f636cf506cdf54af1a58c8c6eb66f3aebf688f33488a3265f50c03 |
|||
font_05_sfnt_off00015141.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15141 | 2328 bytes |
SHA-256: 6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed |
|||
font_06_sfnt_off00015bb9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15BB9 | 4528 bytes |
SHA-256: 0666b65a3f2fc48b4fd02fe9e558be454501f5729c80006fc3459953e1c2e81d |
|||
font_07_sfnt_off00016b9e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16B9E | 3208 bytes |
SHA-256: 690bd9853e8822f75f4ac5e03302e9173a29007961160e169712c7f489070607 |
|||
font_08_sfnt_off00017874.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17874 | 7220 bytes |
SHA-256: e39811035130539fb613f9d72f0cf4d56f31259b764fcf3d2479e0badf854a2b |
|||
font_09_sfnt_off00018c28.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18C28 | 21096 bytes |
SHA-256: b4fa44bb1acae06bd3910868a156c07ed4cff16d600a2b832712aed5465b4985 |
|||
font_11_sfnt_off0001ed55.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1ED55 | 3856 bytes |
SHA-256: b2201855f482d227ee3c87e31669c262909559553061f6c57c20aee1fbe012d5 |
|||
font_12_sfnt_off0001fc05.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1FC05 | 3952 bytes |
SHA-256: cbe667b65dd10d13bd2cf0bab94c6ba7b992ff1c5d05e823a08ba3d951dc26bd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.