MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://yafferge.ru/award?keyword=printable+battleship+game+pdf'. This URL is presented within the document's content, suggesting a phishing or malware delivery attempt. The ML classifier also strongly flagged this PDF as malicious, supporting the assessment of a malicious redirector.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://yafferge.ru/award?keyword=printable+battleship+game+pdf In PDF document text
- https://cdn-cms.f-static.net/uploads/4375521/normal_5fd5fdf75698e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4449205/normal_5fe860d44c32f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4381762/normal_602c1507c7a74.pdfIn PDF document text
- http://razajegusut.22web.org/kakuzadakubowasefela.pdfIn PDF document text
- http://zakisazasidakiz.iblogger.org/tokyo_ghoul_rebirth_characters.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4386347/normal_604288e5cca1e.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/32ce217d-fc24-4dcd-a357-1e4dbebea417/navy_diver_suit_2016.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bedaa883-ab4e-460f-8fa0-37ce45d9dbdf/xizujidumavesevirutabemil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8ca6e0b6-fc8c-4333-80f2-0c3fe8e704b3/tegejugutozutefut.pdfIn PDF document text
- http://pekudus.rf.gd/98200043709.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c372dba2-8860-4fa5-9981-2d6f46c46e4e/navy_seal_hell_week_sleep.pdfIn PDF document text
- http://julivaradisakit.rf.gd/mozatomuzisa.pdfIn PDF document text
- https://s3.amazonaws.com/wurivuve/62266144448.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ab151a7b-e1a2-42e9-9b2f-c7947cdf3ec4/is_apple_news_conservative_or_liberal.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bf704165-fe5c-4ef1-a67f-7200e7bc77bd/31641249054.pdfIn PDF document text
- https://s3.amazonaws.com/palevijuj/wijibokofijelusapa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0e448231-27e2-411d-8562-cb00fcd2d450/lolijomis.pdfIn PDF document text
- http://jasukapikubov.rf.gd/completed_character_sheet_5e.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e651545d-ffa4-4eef-b9af-0a3964b7ceee/sonamegarideb.pdfIn PDF document text
- http://widaliwadon.epizy.com/nilaxevatiwirobe.pdfIn PDF document text
- https://s3.amazonaws.com/wozowuledij/casdon_-_dyson_ball_vacuum_toy_vacuum_with_working_suction_and_sounds_2_lbs_grey_yellow_multicolor.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f5ab.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF5AB | 5596 bytes |
SHA-256: c905598f4acece05c9c25c61022e219f65100aaf3f5b613b3bea5569f3ca7525 |
|||
font_01_sfnt_off00010880.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10880 | 11168 bytes |
SHA-256: aa5eb3b9133e6e709d02bedd2393d250aaa4710ca9c1bb43841cf4f964cb9d99 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.