MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. This, combined with a high ML classifier score and ClamAV detection, strongly indicates malicious intent. The embedded URL is likely used to lure the user into a phishing or malware download site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/123?utm_term=instagram+de+ms+palomares
- https://cdn-cms.f-static.net/uploads/4474978/normal_5fd119e26072f.pdf
- https://cdn-cms.f-static.net/uploads/4423442/normal_5fae9aa379ebb.pdf
- https://cdn-cms.f-static.net/uploads/4369794/normal_5fa43b98364ce.pdf
- https://cdn-cms.f-static.net/uploads/4388181/normal_5fc36fa32534f.pdf
- https://cdn-cms.f-static.net/uploads/4459787/normal_5fd674f9e1a47.pdf
- https://cdn-cms.f-static.net/uploads/4378404/normal_5f93e27d9b9f4.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/a4ea4a66-24e4-4571-ad74-f0ad631ad2bb/destiny_2_rasputin_armory_code_chest_locations.pdf
- https://static1.squarespace.com/static/5fc5c12b92c50b1a1e98b3c9/t/5fcb57a89cf56e0e8b0fee44/1607161771426/30431881857.pdf
- https://uploads.strikinglycdn.com/files/7abcff0f-35b3-4742-ab47-9b8633c61b13/moposipewemilazugipip.pdf
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe3777e18c5c478ec6bc29/1606301559982/sasibegaxaruxogosa.pdf
- https://s3.amazonaws.com/tipikaxe/statement_of_research_interests.pdf
- https://uploads.strikinglycdn.com/files/af50fd25-bdc2-40fc-8078-e2c8fc3f9fab/29477476872.pdf
- https://static1.squarespace.com/static/5fc4dec85e8e827d42a745e4/t/5fcad2dd393ce4735626b503/1607127773624/messenger_app_keeps_closing_android.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe20.bindc62da00b31d088edb1578ac6791c136917e152a9daffcca77d3d299cf89b5c3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE20 | 5216 bytes |
font_01_sfnt_off00010fc9.bin4e2233e56c95f055630515ff2d09feab949202faa8ade04cd36e75279bbebf88 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10FC9 | 10368 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.