MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, suggesting a link farm or phishing attempt. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic further support this, pointing towards an attempt to redirect users to potentially harmful websites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/strik?utm_term=local+color+definition+in+your+own+words
- https://cdn-cms.f-static.net/uploads/4454682/normal_5fb9b35c71281.pdf
- https://jesasifewom.weebly.com/uploads/1/3/1/4/131453969/843a2260fbb.pdf
- https://gixujadimi.weebly.com/uploads/1/3/4/7/134708567/4f96ce28bf400d7.pdf
- https://cdn-cms.f-static.net/uploads/4450502/normal_5fa8fddb3db07.pdf
- https://cdn-cms.f-static.net/uploads/4412767/normal_5fb4244adee7e.pdf
- https://xexovelez.weebly.com/uploads/1/3/0/8/130813416/0e3ba8b74095b43.pdf
- https://cdn-cms.f-static.net/uploads/4450746/normal_5fa1261483ffd.pdf
- https://cdn-cms.f-static.net/uploads/4413587/normal_5fb6b2d9b9e00.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/werowibovezoje/follow_me_fnaf_song_free.pdf
- https://s3.amazonaws.com/biwubeleba/lajudiwavezekasoxobibe.pdf
- https://static1.squarespace.com/static/5fce4b4bccd2b773201ed0e2/t/5fd02a1fef76c20f2d3f0cc5/1607477794419/sazezulewujubupeforota.pdf
- https://s3.amazonaws.com/tetenifeme/piano_sheet_music_for_hallelujah_by_cloverton.pdf
- https://static1.squarespace.com/static/5fc384387848ba205d291bb5/t/5fc53896f8cdb769c68d18b6/1606760599872/venogo.pdf
- https://s3.amazonaws.com/degagaziv/netiga.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c976.bin2c9af4d5b82aebbc0e0c0fa9708908abfec74a4852a45d7f6322b43a7f03bc7d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC976 | 5148 bytes |
font_01_sfnt_off0000db28.bin5716563b583670142efe7a5b34c2486d1c5c8ab9c00944449c548cdcb4b2afe6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDB28 | 10680 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.