MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains embedded links and references to external URLs, including one that appears to be a lure for a 'Besiege mod apk'. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm or phishing operation. The ClamAV detection and ML classifier further support its malicious nature, likely as a phishing or malware distribution document.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffi.ru/aws?utm_term=besiege+mod+apk
- https://gedevoliritigit.weebly.com/uploads/1/3/4/6/134686631/3172886.pdf
- https://cdn-cms.f-static.net/uploads/4380088/normal_5f9683843c0a1.pdf
- https://cdn-cms.f-static.net/uploads/4390074/normal_5fa50a4885d19.pdf
- https://cdn-cms.f-static.net/uploads/4424043/normal_5f98664234d69.pdf
- https://tiwotutekog.weebly.com/uploads/1/3/4/7/134722077/nasugoxilobosinabazo.pdf
- https://cdn-cms.f-static.net/uploads/4368760/normal_5f9661a64608d.pdf
- https://cdn-cms.f-static.net/uploads/4488135/normal_5fae7bfa16add.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/4d10ee7d-93f5-410c-90ed-091779202740/67188122048.pdf
- https://uploads.strikinglycdn.com/files/2260cba8-83e9-4aa8-a6a0-7e6039b11723/gapijotifose.pdf
- https://uploads.strikinglycdn.com/files/40647915-9d7a-4819-bcf0-23c9cea10471/ruvaxafezoninulapipiw.pdf
- https://uploads.strikinglycdn.com/files/5d4f0b3c-2a1f-4193-bfe1-65bd5c979b99/nixepuwizonexunutineruto.pdf
- https://uploads.strikinglycdn.com/files/c18e4997-307a-4de8-a7c3-37f00e68d63f/4744914596.pdf
- https://uploads.strikinglycdn.com/files/e860aa9f-f0a7-4cb3-baa3-448b38712313/2750732907.pdf
- https://uploads.strikinglycdn.com/files/322d8037-ef50-4c8d-9ad6-092fa5a98b2e/36692039413.pdf
- https://uploads.strikinglycdn.com/files/9158b754-6c9a-4af8-9f6e-82f2a71d84a9/54981312566.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d3e3.bin251ddb7389a127d80923857ea3067d8cb4ee6c2421212ec98e012ee845bea35a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD3E3 | 5264 bytes |
font_01_sfnt_off0000e5c0.bin79c3d8c02368bcd8de381901208ee238ec47af420f08bcaa2f2ae63480b1c091 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE5C0 | 10340 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.