MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a heuristic indicating it's a malicious redirector link, pointing to 'ggtraff.ru'. It also exhibits characteristics of a link farm, with numerous external PDF links, suggesting a phishing or scam attempt. The 'SE_INVOICE_LURE' heuristic further supports the idea that the document is designed to trick the user into clicking the malicious link by appearing to be an invoice or payment notification.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/123?utm_term=air+guide+accessory+mac-760fd-e In PDF document text
- https://cdn-cms.f-static.net/uploads/4382407/normal_5f9341c06f309.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369328/normal_5f9ced75c475f.pdfIn PDF document text
- https://lewelekokoje.weebly.com/uploads/1/3/4/3/134333059/bovisosanebimanarewa.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4391335/normal_5f8e57352dbd0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4408983/normal_5f97853b44fad.pdfIn PDF document text
- https://sofunidus.weebly.com/uploads/1/3/4/5/134593652/7c87d9fd.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/a3d796ec-49b0-42a4-97e8-14c67ddf6383/22238069456.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/51f651a5-62c3-4dda-8cd9-83673a958d5c/44293485262.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/346af5ab-61ca-49db-977c-1d19d055f765/59408688353.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/19ba535d-a515-41e8-986f-eb1ebca7ccfd/jaxigibavinuse.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/296721ea-1a7c-4c66-845e-dd830963b214/nichols_middle_school.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6e2ae615-48b2-47fc-995b-863c6d4fe9b0/debose.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f8d9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF8D9 | 3656 bytes |
SHA-256: 9bf8e9c8677a4d295eb8f5274d583a2a1d2696571d95de0f685cf587223d447a |
|||
font_01_sfnt_off000105ed.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105ED | 5808 bytes |
SHA-256: fb35ba614985779ab5027c33dc5328cf9e35979c00d1d7940a989fb9ddea9c14 |
|||
font_02_sfnt_off000119bb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x119BB | 15648 bytes |
SHA-256: 2d05dbffaf684b80f0fa2a2ce9e857d781023db3e67b6d699ce5b0d27ff17c87 |
|||
font_03_sfnt_off0001479b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1479B | 16100 bytes |
SHA-256: d973db94ba2c448c661c26f08d051ac794e7cb4f3c7daa33c2141e8036f071b6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.