MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many pointing to S3 buckets and other domains, indicative of a link farm or SEO manipulation scheme. The ClamAV detection and ML classifier strongly suggest malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URLs point towards a malicious document designed to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/aws?utm_term=year+3+science+magnets+worksheets
- https://rigavedisibabaz.weebly.com/uploads/1/3/4/9/134902328/f82d2b3f1fd678.pdf
- https://wegotutitupal.weebly.com/uploads/1/3/1/4/131453182/laberures-zuzewekuselobe.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/fasomusogapovi/64183579007.pdf
- https://s3.amazonaws.com/godoremitiwuja/understanding_demand_and_supply_shifters_worksheet.pdf
- https://static1.squarespace.com/static/5fc0ba3b0a2757459be1f9cb/t/5fc0f011f3de5e49b5862dba/1606479889675/six_feet_under_billie_eilish_lyrics_eviri.pdf
- https://s3.amazonaws.com/rudelazifizuvo/fezelinutegukin.pdf
- https://s3.amazonaws.com/wovugi/39330853674.pdf
- https://uploads.strikinglycdn.com/files/fc768536-e584-4538-87ce-9a0dd877e05c/febozasevo.pdf
- https://s3.amazonaws.com/jarawaxanivu/bibliotecas_virtuales_definicion.pdf
- https://s3.amazonaws.com/dejazuvorira/mipure.pdf
- https://uploads.strikinglycdn.com/files/3dd6772e-371d-4668-803c-62aa8025282b/elsir_vale_player_map.pdf
- https://s3.amazonaws.com/gaxuremewuger/90426378654.pdf
- https://uploads.strikinglycdn.com/files/6147eb6d-7d27-4b19-a659-5a7ac17b654d/foreshadowing_and_flashback_worksheet.pdf
- https://s3.amazonaws.com/figugipopar/bedegodekamivewirakevafoj.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b6e0.bin6a19aa8c8235afcfb29867c81261cc6bef050d1d319d1aa41334c1f218670790 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB6E0 | 5464 bytes |
font_01_sfnt_off0000c962.bin1bcaa9be4cfe7dd890f3403b636bdb1191283077a59d4862c90d5ba981751799 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC962 | 10132 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.