MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, a common tactic for link farms and phishing sites, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The presence of a URL like 'https://trafffe.ru/strik?utm_term=movie+box+app+store' suggests a lure related to app stores. ClamAV detection and ML classification strongly indicate malicious intent, likely phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/strik?utm_term=movie+box+app+store PDF link annotation
- https://cdn.sqhk.co/bugabowozi/gcKidlg/20884180857.pdfIn PDF document text
- https://sadozilodefizon.weebly.com/uploads/1/3/4/6/134659806/fijinusutoda_wanufedoje_dovalox_bevegavi.pdfIn PDF document text
- https://tatonipek.weebly.com/uploads/1/3/4/8/134874136/pebiregezivu_zujuluwadezav_tibajab.pdfIn PDF document text
- https://cdn.sqhk.co/muvetowiripa/Wjbhe11/46656806212.pdfIn PDF document text
- https://gumevuwogixuxuj.weebly.com/uploads/1/3/5/3/135317748/tagidixone_kigizexej.pdfIn PDF document text
- https://nigafabap.weebly.com/uploads/1/3/4/3/134377596/7506990.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4478146/normal_5fca84ffbac49.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/xalexojaxipud/history_of_indian_novel.pdfIn PDF document text
- https://s3.amazonaws.com/ravuxudibure/bluestacks_apk_won_t_install.pdfIn PDF document text
- https://s3.amazonaws.com/zuxime/36420945552.pdfIn PDF document text
- https://s3.amazonaws.com/paxivogedewilu/96649061747.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e065.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE065 | 5052 bytes |
SHA-256: 3c4bbc1265426e648f9abe2dcf88f976d8f7a2c1ccc9cd7c2fa982c467ad17fd |
|||
font_01_sfnt_off0000f1b3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF1B3 | 10620 bytes |
SHA-256: 707ae665ca029fa901128862ea7d4f9661c576d3864ec00e4d34fc90fd5d41c0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.