MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by multiple critical heuristics indicating malicious redirector links and a link farm hosted on disposable infrastructure. The embedded URLs, such as 'https://crophysi.ru/wix?keyword=how+to+archer+pdf', are likely part of a phishing or content-luring scheme. While no scripts were explicitly extracted, the nature of the embedded links suggests an attempt to redirect users to malicious websites, aligning with spearphishing tactics.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/wix?keyword=how+to+archer+pdf In PDF document text
- https://cdn.sqhk.co/xeveweno/jcgccih/betternet_hotspot_vpn.pdfIn PDF document text
- https://cdn.sqhk.co/tevenijubuso/dSjhiib/furry_wolf_girl_names.pdfIn PDF document text
- https://cdn.sqhk.co/sugefixa/gdhgiaa/48745716945.pdfIn PDF document text
- https://cdn.sqhk.co/zururodi/dgdRDNu/moxanewijag.pdfIn PDF document text
- http://instas.site/443000876404enbw.pdfIn PDF document text
- https://cdn.sqhk.co/vagizabibo/gAQOXLT/nuclear_weapons_should_not_be_banned.pdfIn PDF document text
- http://instapresent.site/schlage_camelot_handlesetspxd7.pdfIn PDF document text
- http://kindraretterath.com/desert_worms_brick_rigsobzte.pdfIn PDF document text
- https://cdn.sqhk.co/pasededi/ii7jagi/kemofaw.pdfIn PDF document text
- http://helpcenterbusiness.xyz/727021636604d0dt.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://bf6af823-cb0d-4ee8-9d5b-4f0b1de5ed24.filesusr.com/ugd/9eb187_fb39128348cb409f8612015aa612f84b.pdf?index=trueIn PDF document text
- https://992bddda-184d-467f-a815-0165b41a2208.filesusr.com/ugd/69695d_16ad4b45e04644dc889723968c9db3f2.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/napejaxosinages/heise_notepad_portable.pdfIn PDF document text
- https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_59fbec5d77fb408382db366e92d90221.pdf?index=trueIn PDF document text
- https://bf808793-8b46-4c54-8b11-319763181fa0.filesusr.com/ugd/0d018b_05a3d2ee2e2149e19754deab9e5a3710.pdf?index=trueIn PDF document text
- https://793776f3-68b4-44d3-947a-596ce2c6f652.filesusr.com/ugd/4e977a_863d5954067a4f5eb86b81899a95a6c8.pdf?index=trueIn PDF document text
- https://a68e2ff5-bf17-48e3-82d4-ceb975b85758.filesusr.com/ugd/760101_634f9e3705664f8b9453711afbd3a978.pdf?index=trueIn PDF document text
- https://s3.amazonaws.com/ronenitevodo/free_autorun._exe_for_windows_xp.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e6cb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE6CB | 5088 bytes |
SHA-256: 92cfd852ecbcb4fe5ea4222aa8f27a342a5649f91572066555e3e70618cfd658 |
|||
font_01_sfnt_off0000f827.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF827 | 11712 bytes |
SHA-256: 9c6b41fe5bc571aebf359dad7b0f36b9bf0123254c22ca875026f78ca6398e67 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.