MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains a large number of external links, with the primary heuristic identifying it as a link farm. One of the embedded URLs, 'https://traffine.ru/strik?utm_term=crash+by+jerry+spinelli+questions+and+answers', is flagged as suspicious. The ClamAV detection and ML classifier further indicate malicious intent, likely related to phishing or malware delivery through these links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffine.ru/strik?utm_term=crash+by+jerry+spinelli+questions+and+answers
- https://misutinulil.weebly.com/uploads/1/3/1/4/131407711/fozapab_luvad_tigorukifakatu.pdf
- https://mivodijabid.weebly.com/uploads/1/3/4/7/134732330/63dd0d893.pdf
- https://dimaxafazeza.weebly.com/uploads/1/3/1/4/131453031/safado-fodidunixoso.pdf
- https://gatixitawenubik.weebly.com/uploads/1/3/4/6/134643062/xagefe.pdf
- https://cdn-cms.f-static.net/uploads/4476453/normal_5fb35c6bac4ff.pdf
- https://kizekusoviwo.weebly.com/uploads/1/3/1/4/131453028/1b180e4e982.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/a64a454e-4bf9-4ead-a3e3-69ca2ee716d4/66188148231.pdf
- https://uploads.strikinglycdn.com/files/91657fd5-5cc5-43fb-9ee2-5084b782b3b0/zefigufiwezaxujominedoku.pdf
- https://static1.squarespace.com/static/5fc110906609fd0ee7923de0/t/5fc36a9708845d0924f55324/1606642327985/65071261578.pdf
- https://s3.amazonaws.com/voropa/convertir_un_en_ingles_a_espaol.pdf
- https://s3.amazonaws.com/werowibovezoje/kasolelivozegizozogu.pdf
- https://uploads.strikinglycdn.com/files/3dca4f2a-2b6a-49c4-af0b-5d64ce663b25/bufuleferifulovovelil.pdf
- https://uploads.strikinglycdn.com/files/e8d3bcec-320f-402d-b051-629af92d8406/bemosuko.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e113.bin3a0168ed10a44c677d4aa094005858c34326cd18c55b5fbce6a435dec94ba118 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE113 | 5488 bytes |
font_01_sfnt_off0000f3be.bin415d137ea11388484d104dbb6efee1a252c6f864098af842819d3af554a93a8e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3BE | 11380 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.