MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. It contains a large number of external links, suggesting it is part of a link farm or phishing campaign. The embedded URLs point to suspicious domains, likely serving as lures for further malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/strik?utm_term=%2525E5%2525BE%252590%2525E4%2525B8%2525AD%2525E7%2525BA%2525A6+%2525E4%2525B8%2525AD%2525E5%25259B%2525BD%2525E8%2525BF%252591%2525E4%2525BB%2525A3%2525E5%25258F%2525B2+epub
- https://sigozebuxofiko.weebly.com/uploads/1/3/4/3/134372047/wepug.pdf
- https://cdn-cms.f-static.net/uploads/4372723/normal_5f93dc9568240.pdf
- https://sefubokadizafa.weebly.com/uploads/1/3/4/8/134880044/monoviligag.pdf
- https://cdn-cms.f-static.net/uploads/4424405/normal_5fa2a878aee01.pdf
- https://padabomax.weebly.com/uploads/1/3/4/6/134681696/ec79602.pdf
- https://cdn-cms.f-static.net/uploads/4369333/normal_5fa3af134126d.pdf
- https://cdn-cms.f-static.net/uploads/4454825/normal_5faaecdc7b506.pdf
- https://cdn-cms.f-static.net/uploads/4426571/normal_5fad5a907bcf9.pdf
- https://cdn-cms.f-static.net/uploads/4460266/normal_5fa9ddc5a4d5a.pdf
- https://cdn-cms.f-static.net/uploads/4451220/normal_5fa17ce176bc6.pdf
- https://cdn-cms.f-static.net/uploads/4365536/normal_5f927419263f1.pdf
- https://cdn-cms.f-static.net/uploads/4375210/normal_5fa030af43187.pdf
- https://fetibafavi.weebly.com/uploads/1/3/0/7/130776688/setowajum.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/besafefaf/zukajivumaxemut.pdf
- https://s3.amazonaws.com/wilugugo/metso_jaw_crusher.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c6d4.bin1d30747efa085d9565e97a8dc8a29fcd8e45f0db862e5ed4579bcce4b6ae2405 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC6D4 | 4664 bytes |
font_01_sfnt_off0000d6f7.bin96967628de49351eedc163250c03072bc2892cce0b00c91594d4e035393e6caf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD6F7 | 4340 bytes |
font_02_sfnt_off0000e5c8.bin26f58b4f61405a31fde4260a961abecef4e52f6fa3d588943f9f56b9b5e58df6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE5C8 | 10500 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.