MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, with one identified as a potential phishing or malware distribution URL (https://trafffe.ru/strik). The heuristic PDF_SEO_LINK_FARM indicates a large number of external links, suggesting an attempt to manipulate search engine results or distribute malicious content. ClamAV detection and ML classification further support its malicious nature, likely as a phishing or trojan delivery mechanism.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/strik?utm_term=dnd+warlock+hexblade+patron
- https://cdn-cms.f-static.net/uploads/4444113/normal_5f9d6c3ed68a7.pdf
- https://static.s123-cdn-static.com/uploads/4385206/normal_5fc9818070f94.pdf
- https://weduzoviduluwiz.weebly.com/uploads/1/3/4/3/134385862/eaa576b3a.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc6c10104a8c57c1485c1c7/t/5fccb647260a660a6bd7d841/1607251527832/boeing_777_crew_rest_compartment.pdf
- https://s3.amazonaws.com/fajonubinomeder/checkbook_ledger_template_printable.pdf
- https://uploads.strikinglycdn.com/files/8feaa893-8063-4e6b-9e70-471f8df6458c/rujawu.pdf
- https://static1.squarespace.com/static/5fc0f6bd5687f52b6b817d01/t/5fc1d07c61e25426e17af7c1/1606537347065/the_odyssey_book_the_homecoming_summary.pdf
- https://uploads.strikinglycdn.com/files/35c97905-e2b2-41c5-bcfb-22ac509fd030/62508450925.pdf
- https://static1.squarespace.com/static/5fc101b088c99b6d37a7afc3/t/5fc6691508845d092466ea1e/1606838549669/vasorewivopuxijusa.pdf
- https://static1.squarespace.com/static/5fc10304b8467722f1d4df02/t/5fc165eb4f98375720140354/1606510064894/4th_anniversary_gift_ideas_fruit_and_flowers.pdf
- https://s3.amazonaws.com/gurafoga/dejixuxegasibegajuk.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000130c1.bin25cc2563bd9058ebfa2f3465c9a9576849afef9716bd525f7bb9848446d5f59d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x130C1 | 5344 bytes |
font_01_sfnt_off000142ff.binf9bf670d9e7dbc17f46d7963cbfc56aed01b8dd66bd664c8d229485cc663a383 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x142FF | 10984 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.