MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a phishing or malware distribution attempt. The primary external URL, 'https://trafffe.ru/strik?utm_term=dancing+line+2.+7.+30.+00', is a strong indicator of malicious intent. ClamAV also detected this file as 'Pdf.Phishing.Trojan'. No scripts were extracted, but the structure and URL farm point towards a malicious document designed to redirect users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/strik?utm_term=dancing+line+2.+7.+30.+00
- https://cdn-cms.f-static.net/uploads/4381976/normal_5f95e01123870.pdf
- https://naxedomabaxa.weebly.com/uploads/1/3/1/6/131606472/9accf2be34380a.pdf
- https://cdn-cms.f-static.net/uploads/4410190/normal_5fc2461789c51.pdf
- https://wimavebitajiki.weebly.com/uploads/1/3/4/6/134609796/ligezoso-sijegutowo-rekif.pdf
- https://static.s123-cdn-static.com/uploads/4365613/normal_5fddfb98a416e.pdf
- https://movamapipimopi.weebly.com/uploads/1/3/5/3/135303402/9096191.pdf
- https://cdn-cms.f-static.net/uploads/4408177/normal_5fabb4779d675.pdf
- https://cdn-cms.f-static.net/uploads/4409092/normal_5fa0e402ee970.pdf
- https://cdn.sqhk.co/tiwumixe/hfSVPhf/22553791132.pdf
- https://static.s123-cdn-static.com/uploads/4416322/normal_5fd06a3cd72d9.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/wurivuve/what_s_on_tonight_brisbane_tv_guide.pdf
- https://s3.amazonaws.com/fizaxo/47536575273.pdf
- https://s3.amazonaws.com/gogoxowiniza/google_account_manager_7._0_apk_2019.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off00013672.bin2fe39ec5406be38a660e659043136679688f5115b6687aff2f21f339ce06144f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x13672 | 25680 bytes |
font_00_sfnt_off0000fed3.bin1edc1eba3745ec489b5762497f969a66201cf08b5667c89e0952c2969962fc7f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFED3 | 5240 bytes |
font_01_sfnt_off000110d1.bin770936fecaf7b310d3c062a8a0bfbc9b27d226374621d8cb5102e3d024e75952 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x110D1 | 10968 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.