MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically `https://yafferge.ru/123?utm_term=medical+lab+report+in+word`. Additionally, it functions as a link farm on disposable hosting, with many embedded URLs pointing to other PDFs. ClamAV also detected it as `Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0`, indicating a phishing and trojan payload. The document body, though heavily obfuscated, suggests a lure related to a 'medical lab report'.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/123?utm_term=medical+lab+report+format+in+word In PDF document text
- https://cdn-cms.f-static.net/uploads/4373281/normal_5fdbb083ef5ab.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4488569/normal_605c0afa5b491.pdfIn PDF document text
- https://fufigejopugip.weebly.com/uploads/1/3/1/0/131070204/907669.pdfIn PDF document text
- https://jexiliwole.weebly.com/uploads/1/3/0/7/130739190/ziruvewutexen.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4481665/normal_60234a7bd1f17.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4410020/normal_60b12065a470e.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4467036/normal_5fc72486b2480.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4478387/normal_5fee1db9c7d89.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476751/normal_604d2a0bb666a.pdfIn PDF document text
- https://gokuxevi.weebly.com/uploads/1/3/4/0/134017514/d330d0d66ae.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4459468/normal_5fda9419d940f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489848/normal_60279794cd758.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/1a5e881e-1562-43ee-88ed-8b613059678b/ladimezogupe.pdfIn PDF document text
- http://pefumugat.pbworks.com/w/file/fetch/144684606/wagovetazudonizipuver.pdfIn PDF document text
- http://vugufosenene.pbworks.com/w/file/fetch/144823245/what_does_the_flexor_hallucis_longus_do.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/47611d3a-f022-4749-9c47-228e57adbd59/81050369673.pdfIn PDF document text
- http://kekirow.pbworks.com/w/file/fetch/144411975/wenixaluveku.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d6e6478c-3aea-4244-98a4-e96800356e5e/countries_of_the_world_quiz_jetpunk_empty_map.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3539e643-5cf7-460b-be07-07af3525a1a1/agricultural_microbiology_books_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2e0323c6-2e88-4de6-b617-85a7b83f308e/kujikekiweli.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e423f7aa-69ad-4dee-92fb-c75dbb23188a/kigasozokomub.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e844.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE844 | 5360 bytes |
SHA-256: 4c10eb45a2ba7a6fe0aeefcb19a3aade541b06baf830615f1cdee471b43350ba |
|||
font_01_sfnt_off0000fa7e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFA7E | 10524 bytes |
SHA-256: 3e3513adf2c5a0b434b4f82efd06b7a310a2bddd3e76902c433712a02d0cc77e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.