MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains an embedded URL that points to a suspicious domain, likely intended to redirect the user to a malicious site. The PDF also contains a large number of external links, suggesting a link farm or SEO poisoning attempt. ClamAV and ML classifiers also flagged this file as malicious, specifically as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/123?utm_term=7+deadly+sins+catholic+symbols
- https://zotadipijipas.weebly.com/uploads/1/3/4/4/134467791/kuzusajerakoz-lokomiji.pdf
- https://givifajilodox.weebly.com/uploads/1/3/0/8/130874655/b089515.pdf
- https://xuxavapivobe.weebly.com/uploads/1/3/4/5/134590147/dolasuva.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/nitizobuv/35075983956.pdf
- https://s3.amazonaws.com/vetamedisoz/opposite_of_always.pdf
- https://s3.amazonaws.com/lotibabakuj/1191557718.pdf
- https://static1.squarespace.com/static/5fc15bd3ff13940aa242d827/t/5fccb9042fa8bc6bcde5e074/1607252229961/71025626985.pdf
- https://s3.amazonaws.com/banula/blanca_nieves_y_compania_english.pdf
- https://uploads.strikinglycdn.com/files/0f4cc02c-3770-40fe-8fd2-f7a211e2661d/temobapuzid.pdf
- https://uploads.strikinglycdn.com/files/1f30237d-0ff9-4ac0-b1a9-44a15fd1642a/dagerusefulumu.pdf
- https://s3.amazonaws.com/baxekojojexusol/verismo_milk_frother_manual.pdf
- https://uploads.strikinglycdn.com/files/72c36609-6e2e-4d65-a0cb-bed648343acb/jipedexisar.pdf
- https://s3.amazonaws.com/jewizopukuni/information_about_shipping_bill.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe279108845d092453e8ce/1606297489394/distance_and_time_graph_worksheet.pdf
- https://uploads.strikinglycdn.com/files/d63a6212-6d78-4970-a3ae-0758e791d47f/safe_flash_game_websites.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c8b4.bin76ea564b3e00cd30550d5885cfece26ffb12c799ada01d4c7bb88d01849e7a4c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC8B4 | 5308 bytes |
font_01_sfnt_off0000daa3.bin09a49a34622775804dbf262d3f80b75387862e4aa0e33bcf76a7c2d7f9da52f5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDAA3 | 9848 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.