MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1071.001 Web Protocols
The PDF document contains numerous embedded links, including a suspicious URL related to 'extreme injector unknowncheats', and a heuristic firing for a 'PDF_SEO_LINK_FARM'. It also includes an instruction to disable security software, indicating a malicious intent to bypass defenses. The ML classifier strongly flagged this PDF as malicious, suggesting it's designed to exploit users or download further payloads.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Security software disable instruction high SE_SECURITY_BYPASSDocument instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/aws?keyword=extreme+injector+unknowncheats PDF link annotation
- https://nogulumu.weebly.com/uploads/1/3/4/4/134476008/daboxopaxu-gojixazabinuke.pdfIn PDF document text
- https://korodaziso.weebly.com/uploads/1/3/0/7/130740443/8067084.pdfIn PDF document text
- https://mizunawakore.weebly.com/uploads/1/3/1/4/131406356/dodiko.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/c64c8e66-1187-4b37-a386-c1aebb140404/dulita.pdfIn PDF document text
- https://s3.amazonaws.com/vabemavuputenif/30743757937.pdfIn PDF document text
- https://s3.amazonaws.com/libowebujakux/55818186980.pdfIn PDF document text
- https://s3.amazonaws.com/dukexajuj/nuxokatekudaguja.pdfIn PDF document text
- https://s3.amazonaws.com/naxizugenabi/dry_under_eyes_makeup.pdfIn PDF document text
- https://s3.amazonaws.com/subud/sabelageb.pdfIn PDF document text
- https://zesibeb.files.wordpress.com/2020/11/metropolitan_achievement_test.pdfIn PDF document text
- https://s3.amazonaws.com/solonebosop/67932719616.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005a65.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5A65 | 5264 bytes |
SHA-256: d07b7c1a7e660e9487b6d11a10fe70069d10e03e24a3dd5edd8508c216ffbe6f |
|||
font_01_sfnt_off00006c38.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6C38 | 11204 bytes |
SHA-256: 1726225bb432756e75667c5a639c4a51635bbf6c45ebd891e2a3b9ffcad4106c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.