Malware Insights
The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. It contains numerous embedded URLs, with at least one pointing to a suspicious domain ('trafficel.ru') and another to a link farm ('cdn.sqhk.co'). The PDF_SEO_DISPOSABLE_LINK_FARM heuristic suggests the document is designed to host many links on disposable domains, a common tactic for phishing or malware distribution. Although no scripts were explicitly extracted, the presence of embedded URLs and the overall detection profile strongly suggest it's part of a phishing or malware delivery campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9855
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/123?utm_term=costco+spiral+ham+recipe
- https://cdn.sqhk.co/lafuwexale/cjjFGgh/65174194762.pdf
- http://puliliraforuwu.22web.org/f_c_b_full_form.pdf
- https://cdn.sqhk.co/dutaxato/MggdPGc/triple_double_slots_cheats.pdf
- https://dutajidadu.weebly.com/uploads/1/3/4/7/134730474/662be3d83acf.pdf
- http://velixone.66ghz.com/aero_performance_propellers.pdf
- https://cdn.sqhk.co/fegukajebaj/hlbifjh/2017_louisiana_football_recruits.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- http://mujunuge.rf.gd/medtronic_carelink_encore_programmer_manual.pdf
- http://vonupov.epizy.com/peter_pan_original_script.pdf
- http://folilef.rf.gd/vitemuluwurijagedimalixep.pdf
- https://s3.amazonaws.com/davawina/general_knowledge_quiz_questions_and_answers_2018.pdf
- http://nepanazunisemi.epizy.com/kakulikoduwikoxobete.pdf
- http://tuwidapaj.epizy.com/community_helpers_worksheets_for_kindergarten.pdf
- https://s3.amazonaws.com/likerajatob/cash_flow_report_in_sap_bw.pdf
- http://mobisojew.epizy.com/genetically_modified_food_benefits_and_risks_answers.pdf
- http://fodarevo.rf.gd/27686956083.pdf
- https://s3.amazonaws.com/xefezesebusu/zimamobile.pdf
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d975.bineaaa8f83d1d132d8a3843c380ea462ef97e5a4bcb724a8d258fac762f85a7be1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD975 | 4876 bytes |
font_01_sfnt_off0000e9ff.bin43e121ebed9a1bdb0bb59225f7f0fd9b24b5e728a17211504a080df0e67e379d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE9FF | 10824 bytes |
font_02_sfnt_off00010ed4.bincd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10ED4 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.