MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'traffmen.ru'. This, combined with a high ML classifier score and ClamAV detection, strongly indicates malicious intent. The document body, though heavily obfuscated, appears to be a lure related to 'Enterprise rent a car case study', suggesting a phishing or social engineering pretext.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffmen.ru/strik?utm_term=enterprise+rent+a+car+case+study
- https://cdn-cms.f-static.net/uploads/4476152/normal_5fbb31771602c.pdf
- https://cdn-cms.f-static.net/uploads/4377902/normal_5f94b1c7deadc.pdf
- https://cdn-cms.f-static.net/uploads/4386593/normal_5f981d5ec1e8b.pdf
- https://cdn-cms.f-static.net/uploads/4376850/normal_5f8b525a7926a.pdf
- https://cdn-cms.f-static.net/uploads/4378830/normal_5fb03a2d1ea3b.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/c4bfc34d-0030-4342-b22b-082bbb77fbdd/subigegiruput.pdf
- https://uploads.strikinglycdn.com/files/fc0ccfcd-aedf-4f18-ab02-a24ed7665588/lakepoj.pdf
- https://uploads.strikinglycdn.com/files/ecbe2fa7-0487-4d58-9ce9-ab133df4fd05/sex_letters_to_boyfriend_in_jail_examples.pdf
- https://uploads.strikinglycdn.com/files/2cffea67-c3eb-4c42-a292-81dcb67753d5/66149048859.pdf
- https://uploads.strikinglycdn.com/files/0d15076c-18d1-40e7-a307-094eb2fc11ee/lulomuzabu.pdf
- https://uploads.strikinglycdn.com/files/641a2193-535d-4321-a441-bfd3dbd882b3/sexaba.pdf
- https://s3.amazonaws.com/tawovojo/xazupagofozikus.pdf
- https://s3.amazonaws.com/kabisebax/caron_simply_soft_party_yarn_royal_sparkle.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dc22.binb9af8e6ff61a564cdac3d97856531d7e58d8b9dc925fdee5bd9fd253200fcb75 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDC22 | 4864 bytes |
font_01_sfnt_off0000ecb0.bin28018449a08662cc815a107ae2e2f064b15684bb1828b446cf323d6df8b1fbe1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECB0 | 11164 bytes |
font_02_sfnt_off00011220.bin1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11220 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.