MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'dafemum.ru'. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of a malicious URL indicates an attempt to lure the user to a compromised site, likely for phishing or further malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/123?utm_term=decimal+point+worksheets+free In PDF document text
- https://static.s123-cdn-static.com/uploads/4453560/normal_6009a33456b96.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4494891/normal_5ff1ea58bbf8d.pdfIn PDF document text
- http://nitafefuxomod.22web.org/lokon.pdfIn PDF document text
- http://naverako.iblogger.org/is_pokemon_sun_and_moon_anime_over.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370768/normal_604ab0912a455.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4450502/normal_601bcf44e0d3e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417805/normal_60175f4dcb590.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/wupixufekijax/xabuwoxalizojojufamebam.pdfIn PDF document text
- https://s3.amazonaws.com/wikurixobelu/aquatic_life_preservation.pdfIn PDF document text
- http://refitebi.epizy.com/what_color_can_tieflings_be.pdfIn PDF document text
- http://tulazupuvive.epizy.com/wonderland_song_djyoungster.pdfIn PDF document text
- https://s3.amazonaws.com/bidurudilidujug/69529294438.pdfIn PDF document text
- https://s3.amazonaws.com/kodipopujufipig/menarikud.pdfIn PDF document text
- https://9d1e48ad-bcd7-4831-9b7b-7108443a63b6.filesusr.com/ugd/136d07_d4a67eac52ce4511a37a4941255bdf92.pdf?index=trueIn PDF document text
- http://redufowoloware.rf.gd/small_merge_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/15ff1d04-0df5-4d86-8ffd-99ee57838921/14521714934.pdfIn PDF document text
- https://s3.amazonaws.com/luxaduzimase/premiere_gymnopedie_erik_satie_sheet_music.pdfIn PDF document text
- https://s3.amazonaws.com/tiluwisulepam/56853478798.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1267fa4e-b84e-42d0-b008-d61e8d8227df/tangent_ratio_worksheet_answer_key.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a66544a2-ae68-4e51-96d6-89f7b537cde2/buzulefetuwomove.pdfIn PDF document text
- https://s3.amazonaws.com/wizidimawag/can_you_use_macros_in_google_sheets.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5bd2e756-6ed8-452f-80cc-dbc120fd6731/98384124322.pdfIn PDF document text
- https://0b7b936c-93ac-4a60-9644-6ba220b934cc.filesusr.com/ugd/b4bf80_6f3ad1ff129a4748a3d37fe398b3eb77.pdf?index=trueIn PDF document text
- https://acd80754-3b70-42c6-a60f-3489f6261da4.filesusr.com/ugd/f1780b_902f8a546be0418e835c46a008121476.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f411.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF411 | 5408 bytes |
SHA-256: ce98c54020ff8ad1b3c51a4414518eecba573b770e3f8b799f404ae2435b69cb |
|||
font_01_sfnt_off00010661.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10661 | 10552 bytes |
SHA-256: f156fa436f9cc7eed1baeb7242e610371e079ab038c9c5282aa8515187551649 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.