MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document impersonates a cloud service, as indicated by the 'SE_CLOUD_DOC_LURE' heuristic and the presence of 'Sharepoint tutorial 2020 pdf' in the document body. It contains numerous embedded URLs, with at least one, 'https://dafemum.ru/strik?utm_term=sharepoint+tutorial+2020+pdf', flagged as a malicious redirector. The 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics further confirm its malicious nature, suggesting it's designed for phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Cloud document impersonation lure medium SE_CLOUD_DOC_LUREDocument impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://dafemum.ru/strik?utm_term=sharepoint+tutorial+2020+pdf In PDF document text
- http://vnds-super.space/wood_carving_kit_nz1b6xp.pdfIn PDF document text
- https://jevamupoledi.weebly.com/uploads/1/3/4/7/134712268/kixonakogo_wokab_xanumisigijux.pdfIn PDF document text
- http://wolotalute.iblogger.org/los_juegos_del_hambre_libro_1_paginas.pdfIn PDF document text
- http://pihodze.com/rilunenuwufupavoxiov709.pdfIn PDF document text
- http://zetomanebegox.iblogger.org/92809072142.pdfIn PDF document text
- http://lotto-investclub.com/13249880260h2z0o.pdfIn PDF document text
- https://tiwirekofer.weebly.com/uploads/1/3/5/3/135314588/1152391.pdfIn PDF document text
- http://smallita.space/19328762198cdz2h.pdfIn PDF document text
- http://ita-yog.space/services_marketing_lovelock_free_downloadcdq9e.pdfIn PDF document text
- https://lilikegemuvil.weebly.com/uploads/1/3/1/3/131398424/7a45b48c706.pdfIn PDF document text
- https://felekiki.weebly.com/uploads/1/3/4/6/134689652/nufojo.pdfIn PDF document text
- http://azakalaza5.xyz/jubagunedafogezal90mt9.pdfIn PDF document text
- https://vakenufepuxino.weebly.com/uploads/1/3/4/5/134529081/5749540.pdfIn PDF document text
- http://fafasun.iblogger.org/41672727931.pdfIn PDF document text
- https://cdn.sqhk.co/fasixazijaz/Tlei9Gx/60786733547.pdfIn PDF document text
- http://discount50it.pro/28953149059a60je.pdfIn PDF document text
- https://cdn.sqhk.co/gulizate/fxTck6C/49991953526.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- http://zawagebojirowe.rf.gd/double_sided_business_card_template_pages.pdfIn PDF document text
- http://winenezufu.epizy.com/dexozomuwad.pdfIn PDF document text
- http://jutademopewe.epizy.com/dividing_integers_worksheet_with_answers.pdfIn PDF document text
- http://giverez.epizy.com/company_presentation_template_indesign.pdfIn PDF document text
- http://madukavinoxonal.epizy.com/cefsharp_winforms_anycpu.pdfIn PDF document text
- http://kixazogegome.epizy.com/67860779646.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012a9b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12A9B | 5212 bytes |
SHA-256: c72ae9e0e44e38b59e917449209de91f648efe15358db07c415e02230f11132c |
|||
font_01_sfnt_off00013c41.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13C41 | 10752 bytes |
SHA-256: 2a052562309244883b469ee2c49af0c4b22b083fa40bdc3a8aadd10585135455 |
|||
font_02_sfnt_off000160f7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x160F7 | 4324 bytes |
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.