MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating maliciousness. The document body, though heavily obfuscated, suggests a lure related to free software keys, and the PDF contains a large number of external links, many pointing to file-hosting services, indicating a link farm or distribution mechanism for further payloads. The presence of embedded URLs and the overall structure strongly suggest this document is part of a phishing or malware distribution campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffset.ru/123?utm_term=avg+secure+vpn+serial+key+free
- https://tigizojotajubum.weebly.com/uploads/1/3/4/4/134489046/8743d.pdf
- https://cdn-cms.f-static.net/uploads/4371806/normal_5fa7c0b932652.pdf
- https://kazajiti.weebly.com/uploads/1/3/4/4/134456981/8c8fb8fecea36d2.pdf
- https://cdn-cms.f-static.net/uploads/4378856/normal_5fbf091d2fda5.pdf
- https://cdn.sqhk.co/juputufom/gLghhdB/real_driving_simulator_2020_mod_apk.pdf
- https://cdn-cms.f-static.net/uploads/4421217/normal_5fd3aefd4350e.pdf
- https://cdn.sqhk.co/xisiwuba/sEifgdR/40486197097.pdf
- https://cdn-cms.f-static.net/uploads/4489052/normal_5faec99de259e.pdf
- https://static.s123-cdn-static.com/uploads/4366961/normal_5fe2c360ee4ba.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/95720e46-1927-4d31-ae37-31479d13ec6e/vujiwebixibeweroleg.pdf
- https://uploads.strikinglycdn.com/files/1a917861-c147-4f84-9f8f-1820814d3a54/free_music_online_no_download.pdf
- https://uploads.strikinglycdn.com/files/52c5710d-d528-44a6-b892-a581672636e8/dejaxupulemofuxim.pdf
- https://uploads.strikinglycdn.com/files/7536f0c8-1b50-470a-bc60-7363a97f21ee/anointing_of_the_sick_worksheet_answer_key.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000df88.bineded65bf38790b06a70d61c4b283bd78a5022904c336fabfbbad751e35746f2a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDF88 | 5396 bytes |
font_01_sfnt_off0000f210.bin6cd74a8dd17f30b49704fa08da34688667566fd24927432602fafa948ec4f390 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF210 | 10744 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.