MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, a common tactic for SEO poisoning or phishing, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The primary URL, 'https://traffnew.ru/strik?utm_term=probleme+dayal%25C4%25B1+%25C3%25B6%25C4%259Frenme+senaryo+%25C3%25B6rnekleri', suggests a lure related to learning scenarios. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffnew.ru/strik?utm_term=probleme+dayal%25C4%25B1+%25C3%25B6%25C4%259Frenme+senaryo+%25C3%25B6rnekleri
- https://ridolagu.weebly.com/uploads/1/3/0/7/130775195/gipijepaborakon.pdf
- https://dedeluruxizo.weebly.com/uploads/1/3/4/3/134305162/d5bb721851c6.pdf
- https://cdn-cms.f-static.net/uploads/4369914/normal_5f8a2758dfd8e.pdf
- https://cdn-cms.f-static.net/uploads/4374369/normal_5f9e3cceceeb1.pdf
- https://cdn-cms.f-static.net/uploads/4417123/normal_5f9915843df30.pdf
- https://cdn-cms.f-static.net/uploads/4426073/normal_5fa84e481dfce.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/b5ecc1c4-99ba-409f-8b1a-071781d08988/dragon_ball_dokkan_battle_mod_apk_global.pdf
- https://s3.amazonaws.com/henghuili-files2/18182299830.pdf
- https://s3.amazonaws.com/fejatepudopito/zodeg.pdf
- https://s3.amazonaws.com/xabalaru/lg_lfc21776st_refrigerator_manual.pdf
- https://uploads.strikinglycdn.com/files/867dc818-8e31-465c-a192-b30487bc327e/devepi.pdf
- https://s3.amazonaws.com/lukepepe/88281857343.pdf
- https://s3.amazonaws.com/dukajevo/an_inspector_calls_key_quotes_gcse.pdf
- https://uploads.strikinglycdn.com/files/ec111a26-c6c7-4f91-b796-6b98b4b81b3c/87874489345.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fac5.bin5ebd271e7bc65b323c7fefaec2aeac48c219bd595cd7ec229d30520f0adce5e0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFAC5 | 5680 bytes |
font_01_sfnt_off00010dca.binf25c38abccd63d43b2322b0c177c2db49651158051ab49ec36faff5a32af24d6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10DCA | 12428 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.