MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ClamAV and an ML classifier as malicious, with a critical heuristic identifying it as a PDF link farm. It contains an embedded URL pointing to 'traffnew.ru', which is likely part of a phishing or SEO spam campaign. Although no scripts were extracted, the PDF structure and heuristics strongly suggest malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffnew.ru/strik?utm_term=later+or+latter+half
- https://bipinutafo.weebly.com/uploads/1/3/4/3/134358532/be6e0.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/7f0bbbf0-860a-4d81-90d8-5c5d9fbf5e59/7657533289.pdf
- https://s3.amazonaws.com/zarusegibitumet/99903834875.pdf
- https://uploads.strikinglycdn.com/files/94fa7beb-9f4e-4509-a83e-d60f659485be/vikram_vedha_2017_bangla_subtitle.pdf
- https://uploads.strikinglycdn.com/files/c17d01bc-61dd-4f7b-a36d-788ffa127c7e/rv_deeded_lots_for_sale_oregon.pdf
- https://uploads.strikinglycdn.com/files/b1ca92e0-24ac-4f76-bc63-b224974020a0/jabenimegiduvusijikadona.pdf
- https://uploads.strikinglycdn.com/files/4195dc24-5e33-4d42-b1bf-22193962a657/21745564884.pdf
- https://uploads.strikinglycdn.com/files/b9c6163f-1549-4c7b-aebf-b41ee8140e05/soneb.pdf
- https://uploads.strikinglycdn.com/files/6cdf3832-e041-4a8c-bd5c-e3a50520e2aa/invalid_license_data_reinstall_is_re.pdf
- https://uploads.strikinglycdn.com/files/94fc6d7c-940f-46bc-a868-77c3782bebaa/4576291477.pdf
- https://s3.amazonaws.com/mawesenasijoser/blazing_star_apk_full.pdf
- https://uploads.strikinglycdn.com/files/963ca5a6-427d-4ff5-9e45-60402168373f/2720570895.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c98b.bin8d64b8e7ee80bccb3d03f32b7e413d33f193e4d9abf1520bd80909bbd54290c3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC98B | 4252 bytes |
font_01_sfnt_off0000d80b.bind3dcdaef6259c77f094891140a411b82a7db9bdd01fa39c013e08c2a63f2bfad |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD80B | 10716 bytes |
font_02_sfnt_off0000fc2e.bin1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC2E | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.