MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many pointing to Weebly and Strikingly hosted PDFs, indicative of a link farm or phishing campaign. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a phishing or malware distribution scheme.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffking.ru/aws?utm_term=coffee+day+enterprises+annual+report+2017
- https://pozimetotekiv.weebly.com/uploads/1/3/4/3/134339641/8549879.pdf
- https://jinidodax.weebly.com/uploads/1/3/0/9/130969434/gurumometexife.pdf
- https://vapesokon.weebly.com/uploads/1/3/4/3/134329795/kexobum-jinusu.pdf
- https://foseduvix.weebly.com/uploads/1/3/4/4/134491956/kobido-xuvidubiguv-bixegepizadaja.pdf
- https://kenufipafalenar.weebly.com/uploads/1/3/4/6/134616414/bd7712b5597406.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/8fef7bc2-0b7f-4508-9d47-c3d45616f8c0/99449939957.pdf
- https://s3.amazonaws.com/suzujewa/fractions_worksheet_year_6_tes.pdf
- https://s3.amazonaws.com/xedobox/unity_call_script_from_another_script.pdf
- https://uploads.strikinglycdn.com/files/b23245bd-a557-41e2-af2d-94a570317659/najotedufavaxavemube.pdf
- https://s3.amazonaws.com/tisegovofu/sasekuperosobarid.pdf
- https://uploads.strikinglycdn.com/files/dd4af0b7-28c0-44c0-8d3a-079b255938cb/gumag.pdf
- https://s3.amazonaws.com/jovekus/aadhaar_uidai_app.pdf
- https://s3.amazonaws.com/remavuj/hitachi_22e30_manual.pdf
- https://s3.amazonaws.com/tekujel/30173931731.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011708.bin02ac1b07c57fa830bab83f51e4cb9380459c407270879e3b1d9530f38e9cace1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11708 | 5448 bytes |
font_01_sfnt_off000129ad.bin78206169fd5a96a1081a84d04f773612d7f66e79edfc551997f535084eefa2bc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x129AD | 10796 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.