MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, identified as a "PDF_SEO_LINK_FARM" heuristic, suggesting a malicious intent to manipulate search engine results or redirect users to malicious sites. The ClamAV detection and ML classifier further indicate maliciousness, specifically flagging it as a "Pdf.Phishing.Trojan". While no scripts were explicitly extracted, the presence of numerous external URLs and the heuristic firings strongly suggest a phishing or redirection attack, likely delivered as a spearphishing attachment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/strik?utm_term=hot+air+balloon+gas+law+problem
- https://xaxovalalek.weebly.com/uploads/1/3/4/0/134040353/salesuvawa.pdf
- https://mawijazug.weebly.com/uploads/1/3/1/3/131380733/3857769.pdf
- https://rolosakuzorega.weebly.com/uploads/1/3/1/3/131379035/7a015d.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/rekawexuretowo/ranuzinurilax.pdf
- https://s3.amazonaws.com/rakabexozu/tavivukowolunopirovirefa.pdf
- https://s3.amazonaws.com/virumutipalis/gupajufo.pdf
- https://uploads.strikinglycdn.com/files/83bc29da-0e3a-4c30-b2bb-c164501a2ab6/service_manual_bosch_dishwasher_she.pdf
- https://s3.amazonaws.com/vidadaviwal/wujigopazabalamuzifulizal.pdf
- https://uploads.strikinglycdn.com/files/eabcaf84-ab24-443c-8af6-4b256f7af4de/4591889992.pdf
- https://uploads.strikinglycdn.com/files/618c8c1d-2110-4f75-8b17-de8ef2113918/97421882853.pdf
- https://s3.amazonaws.com/waxegatulo/custom_sheet_metal_signs_near_me.pdf
- https://uploads.strikinglycdn.com/files/3bef5f44-878c-4f06-a85e-ef3c2169bdb1/holiday_inn_express_tv_guide.pdf
- https://s3.amazonaws.com/nagev/magnifying_glass_guess_the_emoji_answers.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000101cc.bin4ca233cab3ea32aa2e41988eab26f15fad3f7d3b9aa3768b9050476ba0a37224 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x101CC | 5332 bytes |
font_01_sfnt_off000113e5.bin4391bc2180018816105e0cc0aa9bb996ec4e2b90dbaebc64c7eb3be32f7e0fe3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x113E5 | 10876 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.