MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://gettraff.ru/aws?utm_term=achatina+fulica+pdf'. This indicates the document's primary purpose is to lure the user to a potentially harmful external site. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious URL is sufficient evidence of a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gettraff.ru/aws?utm_term=achatina+fulica+pdf
- https://cdn-cms.f-static.net/uploads/4375518/normal_5f8c267994cf1.pdf
- https://cdn-cms.f-static.net/uploads/4477155/normal_5fbf16acc76a3.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/e1ad4d60-c03c-4f96-a519-4abda2650af7/36910920426.pdf
- https://static1.squarespace.com/static/5fc5c19bab79f442f24acc6a/t/5fccfcf2c836a917f90f6674/1607269619387/virus_hunters_show.pdf
- https://s3.amazonaws.com/vapelurowar/manualidades_con_cerillos_de_madera.pdf
- https://s3.amazonaws.com/mukut/bones_formed_in_endochondral_ossification.pdf
- https://uploads.strikinglycdn.com/files/ad29a0c0-36bb-473a-badd-f4a363e60fde/blood_elf_leveling_guide_1-80.pdf
- https://s3.amazonaws.com/desenaz/mathematical_constants_finch.pdf
- https://static1.squarespace.com/static/5fc1d3b3f9866f3fd2dadad4/t/5fc2bf78fa04221c717a603b/1606598520162/50863651389.pdf
- https://s3.amazonaws.com/bokelur/brave_new_world_answers.pdf
- https://uploads.strikinglycdn.com/files/affd3a42-5559-4ed0-a1fc-38186bb86df7/fairy_tail_figures_erza.pdf
- https://uploads.strikinglycdn.com/files/6595836a-7f7e-4f04-b065-04ef4ea86f7d/gukotamizanafujoxamawasi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d02d.bin1b285aa187e72a314b52bc76b2989ed1c1218e030e219a0793f8f28816c5a3d8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD02D | 4956 bytes |
font_01_sfnt_off0000e115.bin90edc8c8e107d9ae41df5f536160078ea67457cf9fd11b3d74f143bd760887ec |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE115 | 11440 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.