MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ggtraff.ru'. This indicates an attempt to lure the user to a potentially harmful website. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the nature of the redirector suggests a phishing or malware delivery attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/123?utm_term=domain+and+range+of+a+unit+circle
- https://cdn-cms.f-static.net/uploads/4450038/normal_5fa8e4457ca0c.pdf
- https://cdn-cms.f-static.net/uploads/4381543/normal_5fa2bddd7e563.pdf
- https://cdn-cms.f-static.net/uploads/4371020/normal_5f915bbc564a1.pdf
- https://cdn-cms.f-static.net/uploads/4366367/normal_5f9bc5d83451d.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/95f21658-d686-497d-a19b-2fbdceb06a83/kaxoki.pdf
- https://s3.amazonaws.com/padadutiseni/32gb_flash_drive_walmart.pdf
- https://s3.amazonaws.com/rokuwapesu/futekufutuvopubu.pdf
- https://uploads.strikinglycdn.com/files/67c076bd-232e-4069-88d6-4ca0839caa65/3_dot_tattoo_meaning.pdf
- https://s3.amazonaws.com/wunupalezozerud/writing_tracing.pdf
- https://uploads.strikinglycdn.com/files/7a5590a1-777b-407a-bb57-f2c8370fa928/translate_yiddish_to_english.pdf
- https://uploads.strikinglycdn.com/files/d4435a37-b3a8-408a-960a-8528629e2db5/los_diferentes_tipos_de_reactivos_pa.pdf
- https://uploads.strikinglycdn.com/files/5eae1b15-893b-4d2c-93de-f1122012fb0b/seral.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013504.bin63505f23ac0cd6426944369c61d88a75000c9d41a44940f99c0e482c7b2eab78 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13504 | 5164 bytes |
font_01_sfnt_off00014683.bin757dc89b58c9d5ef5390a5682c772db37878b6d95b22db30c3f286d4a1ebe62e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14683 | 15208 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.