MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The sample is a PDF file flagged by multiple critical heuristics, including a malicious redirector link and ML classification. The 'SE_CLICKFIX' heuristic indicates social engineering to trick the user into executing a command, likely to download a second-stage payload. The embedded URL points to known malicious infrastructure, supporting the phishing and potential malware delivery intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cctraff.ru/strik?utm_term=mediaf%253F+re+minecraft+mods+furniture In PDF document text
- https://nosuzodudoj.weebly.com/uploads/1/3/4/5/134588086/8641167.pdfIn PDF document text
- https://vikumeniwexawud.weebly.com/uploads/1/3/0/9/130969440/d585eab8343c0.pdfIn PDF document text
- https://ganubosi.weebly.com/uploads/1/3/4/5/134506756/1426994.pdfIn PDF document text
- https://mizanupiw.weebly.com/uploads/1/3/4/2/134265802/kexapa.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4470837/normal_5fd062560220a.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://s3.amazonaws.com/loranoduzuja/brunei_international_airport_flight_information.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/38ef4279-e349-401e-b19c-719d6ff4323f/27695126731.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc652a0085bf90c0e221d2d/t/5fd023e95efba8153b19b9a4/1607476203504/30392687256.pdfIn PDF document text
- https://s3.amazonaws.com/votubukaxogilix/61520524157.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc6d23543c5ee75bf283f82/t/5fccb40fd235d37878c259aa/1607250960043/ninjago_skull_dungeon_board_game.pdfIn PDF document text
- https://s3.amazonaws.com/xebareto/vekusewotakufa.pdfIn PDF document text
- https://s3.amazonaws.com/lovomijelun/60881316400.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d5556468-9ab6-4743-9916-e96b25f082c5/on_tyranny_epub.pdfIn PDF document text
- https://static1.squarespace.com/static/5fdd53b4d610986319753e28/t/5fde795f459323513bcdeddf/1608415584310/11756234579.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c121.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC121 | 5164 bytes |
SHA-256: 9918650a1d966170713c855c8f1908004750caecbf96e497ab4a300fc22fc192 |
|||
font_01_sfnt_off0000d293.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD293 | 10724 bytes |
SHA-256: f62c60904005447d0bf54788906664bde233634c19b727f3c9bd592ba376b49d |
|||
font_02_sfnt_off0000f76e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF76E | 16212 bytes |
SHA-256: 697c2def67ca018959b441aeac194f5af81831b7356d9eba4b64b465986b1279 |
|||
font_03_sfnt_off00010ccf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10CCF | 4324 bytes |
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.