MALICIOUS
254
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF contains numerous embedded links designed to direct users to external websites, including a known malicious redirector at 'https://yafferge.ru/strik?utm_term=social+psychology+myers+pdf+free'. This indicates a phishing or scam attempt disguised as a free download. The ML classifier and ClamAV detection strongly support its malicious nature, likely exploiting PDF vulnerabilities to redirect users.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/strik?utm_term=social+psychology+myers+pdf+free In PDF document text
- https://static.s123-cdn-static.com/uploads/4369643/normal_60020ccbba756.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4428045/normal_5fdf2a269ceb7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383572/normal_60309c67b314a.pdfIn PDF document text
- http://supobesopo.mygamesonline.org/mugoginizasu.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4499942/normal_5fcb486a074ef.pdfIn PDF document text
- http://avtoshkola-region26.ru/oster_digital_toaster_oven_manualdi5mj.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4445103/normal_5fc571b0d6801.pdfIn PDF document text
- http://libopadu.scienceontheweb.net/angularjs_tutorialspoint_download.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4425214/normal_604d01285edb7.pdfIn PDF document text
- http://xelasurugopu.mywebcommunity.org/dedirelodejuvanugamer.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476566/normal_6028f88c048d6.pdfIn PDF document text
- http://obzorov.site/obusforme_mattress_warrantye3i3u.pdfIn PDF document text
- http://biotringel.shop/45384214932eyk8k.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4415944/normal_5fcc16e988f82.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/6a3f13eb-65d4-4935-942d-78fb7085107c/bakukilijokelanasawejukuz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9638564a-8293-4e23-b49a-ad9e4b755939/90630313639.pdfIn PDF document text
- https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_f8bf64c82aef452eb9638039d67e8654.pdf?index=trueIn PDF document text
- https://7ae52be2-ba3c-41fb-8935-29281088223e.filesusr.com/ugd/affaa6_9bfc5c253db84d0fa1ad0a581bedeb0d.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/dc542249-e9bb-4764-b59d-7af727df1aff/lenovizefufav.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/59363398-ff26-4ad2-92a2-c760d40f4a30/vintage_polaroid_sun_600_lms_instant_camera.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fbd4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFBD4 | 5776 bytes |
SHA-256: 854e0874179d311c762e77fd7d02ede0f423d1355af116392d6ea90732ae6c3f |
|||
font_01_sfnt_off00010f5d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10F5D | 10700 bytes |
SHA-256: 172062352e544792cc6cfb9cfcb51cb8a9b2c984019f068727a40f1ad4936d87 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.