MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a heuristic firing for a malicious redirector link pointing to 'crophysi.ru'. This, combined with a heuristic indicating a password-protected archive lure, suggests the document is designed to trick the user into downloading a password-protected file, likely containing malware. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crophysi.ru/123?utm_term=toxicity+album++zip In PDF document text
- https://cdn-cms.f-static.net/uploads/4460709/normal_6009b50b94533.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365549/normal_602961ea67c63.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415944/normal_6037810743966.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4388820/normal_6061c1b65df85.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4457572/normal_5fde907f92632.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6bb4ad95-4cca-444b-b871-e6392665e5a0/robinair_34788ni_how_to_inject_oil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b8eff1d4-3204-4e42-ae64-7d0eef45994f/rslogix_5000_programming_languages.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a62d36a4-41ac-45e8-9e90-5148ac75c534/87048061494.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d7489ad5-f188-4bfa-bfb3-0fd152edb7a8/hoover_power_scrub_deluxe_carpet_washer_fh50150_user_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f1c21f53-ee93-4cfd-b28d-b97cd829b93c/tuzudedononemesivexu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cbff14a8-eb13-4498-9cff-1cdd3087c1ea/how_to_replace_samsung_galaxy_tab_e_screen.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8715c17f-aef2-4511-a2d6-a012dd183c24/pepe_cretsiz_indir.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fecf4f65-6638-419e-8ab5-8bb1277fdd4e/dawetozekal.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d0ef8179-82a1-4b90-afb7-34dd19b75f1b/77097328969.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d2666e40-4b44-4215-bec1-48fb95942da8/kufotodujifaturinurolek.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0725ee6e-44f0-4e5b-b798-eacfd2527bfe/vewelid.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ff8abaf3-9146-46da-a7bc-514df9220479/what_are_the_greek_and_latin_roots_for_auto.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd9ea6cb-eb9d-47be-92b6-e3a57561b8aa/graphtec_cutting_plotter_ce6000-60_price_in_bangalore.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e4bfd98-ae80-48ba-9f3c-ab198eef1055/g-shock_rangeman_gps_navigation_watch.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2ab06bfb-ca2f-42b2-b890-87d787be01b8/maze_runner_3_full_movie_hindi_dubbed_download_480p.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a1aec199-cae8-4bab-a68f-ab3b0dfbdf78/king_lear_act_2.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/11fddc0d-bc1e-43dc-9d30-07c892875f40/what_does_darkness_mean_in_heart_of_darkness.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fad8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFAD8 | 5112 bytes |
SHA-256: 3cf5a4714944861a2f2ce5ab490e2666d0ca2e09d8a442c9b784d378a9c625d7 |
|||
font_01_sfnt_off00010c48.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C48 | 13908 bytes |
SHA-256: e232c5996148ac1d5bf171ae894c8f6e887e62f3311a180b628d669115ea54b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.