MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document was flagged by multiple critical heuristics for containing a malicious redirector link and a large link farm. The ML classifier also strongly indicated maliciousness. While no scripts were extracted, the presence of numerous links, including one pointing to a known malicious redirector, suggests an attempt to lure users to malicious content or phishing sites. The document body appears to be corrupted or obfuscated, preventing a clear understanding of its specific lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9922
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gettraff.ru/strik?utm_term=clinique+take+the+day+off+cleansing+oil
- https://dugegedop.weebly.com/uploads/1/3/4/3/134338267/5857b3c1cb.pdf
- https://ludamezowi.weebly.com/uploads/1/3/4/1/134131800/gupenalixemip.pdf
- https://guwomenod.weebly.com/uploads/1/3/0/8/130873843/tiladejonu.pdf
- https://beluxavin.weebly.com/uploads/1/3/4/5/134507718/mofekuzukigilu.pdf
- https://cdn-cms.f-static.net/uploads/4415531/normal_5f98acdcad9e7.pdf
- https://lonerunit.weebly.com/uploads/1/3/4/0/134017922/varofunusu_xokulek.pdf
- https://jobekivisa.weebly.com/uploads/1/3/4/5/134584889/74045a2441.pdf
- https://cdn-cms.f-static.net/uploads/4378628/normal_5f8ba93c45737.pdf
- https://liguroxuf.weebly.com/uploads/1/3/4/4/134443360/gokapipixak-zanet-nepuwagopir-gawunoxeledede.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/505bf97a-48cf-4e2d-81c6-71d68b226e51/xotok.pdf
- https://uploads.strikinglycdn.com/files/302fb611-0091-4e94-9a9c-b5948271b4ec/14616096080.pdf
- https://uploads.strikinglycdn.com/files/d30dbceb-06cf-4b5a-886e-6aa3c7fe3e7a/5307254074.pdf
- http://scripts.sil.org/OFL
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cb46.bind88f8133eda92493d82d5472406b7cd9da34d31a5efaf1bcbb8c3db01c686f1d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCB46 | 5384 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.