MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/aws?utm_term=latin+etymological+dictionary+pdf PDF link annotation
- https://gogesatita.weebly.com/uploads/1/3/4/3/134321397/65f80d5c9ce6c2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365582/normal_5fa164f30aea0.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/gupawupigawono/84124875014.pdfIn PDF document text
- https://s3.amazonaws.com/tobobowu/29865875513.pdfIn PDF document text
- https://s3.amazonaws.com/wegugus/52729910900.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/34ef6c75-b473-425c-b746-1b0f2469c975/8775469169.pdfIn PDF document text
- https://s3.amazonaws.com/towutoginadivu/2020_estimate_tax_calculator.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/caf1ce5b-6346-4764-a12a-4d03ca04d9f6/wamepetobixakefesaxinib.pdfIn PDF document text
- https://s3.amazonaws.com/nabifovu/berlin_gardens_furniture_warranty.pdfIn PDF document text
- https://s3.amazonaws.com/dinilederu/senior_2020_quarantine_shirts_svg.pdfIn PDF document text
- https://s3.amazonaws.com/mesixadelomomo/nifiwupozonoruti.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c870.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC870 | 5340 bytes |
SHA-256: 3828162126bdab03b7793d8c8d3f9146b3895f8626f1e901abfbaf56a554d5ff |
|||
font_01_sfnt_off0000da94.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDA94 | 10888 bytes |
SHA-256: 0d7b978ffc599e80eef93f369d5ba6be36934175ca12bbb23014d4204b7847ba |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.