MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by ClamAV as 'Pdf.Phishing.Trojan' and a machine learning classifier indicated a high probability of maliciousness. The heuristic 'PDF_SEO_LINK_FARM' indicates the document contains numerous external links, with the primary malicious URL being 'https://trafffi.ru/123?utm_term=avg+secure+vpn+product+key'. This suggests the document's primary purpose is to redirect users to potentially harmful websites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffi.ru/123?utm_term=avg+secure+vpn+product+key PDF link annotation
- https://zeziruxowajud.weebly.com/uploads/1/3/4/6/134698921/4859915.pdfIn PDF document text
- https://saletenabij.weebly.com/uploads/1/3/4/3/134339554/6877096.pdfIn PDF document text
- https://burakobid.weebly.com/uploads/1/3/4/6/134602904/mazusizaba_jenogup.pdfIn PDF document text
- https://litepuvib.weebly.com/uploads/1/3/4/7/134741427/f843dbff6d63f53.pdfIn PDF document text
- https://belafawejogawol.weebly.com/uploads/1/3/4/5/134583754/f1bc82f4.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://static1.squarespace.com/static/5fc283fb2bbd74065810d034/t/5fcdeae3978da30c5620dc35/1607330531558/dragon_sky_goddess_max_level.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc57202b8467722f1f27178/t/5fc705041d106d256bb8bd26/1606878470833/doomsday_preppers_survival_kit.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc508b027a199023acff9ea/t/5fc57ae59b1ed035389792c7/1606777574637/web_scalability_for_startup_engineers_github.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/50723ece-ddde-41da-815f-3366c50862ba/venn_diagrams_worksheet.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc64bd1be9b6939512f98cc/t/5fd6d508267c8d0ace58591e/1607914761536/10_minute_guided_chakra_meditation_script.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc6cf121a9b7f6479338f83/t/5fd67f87e5ac58289626b877/1607892871892/rufewuguridorufe.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc10ac260f2895dc1e8a19d/t/5fc757263d56556d143bd94b/1606899494196/onedrive_login_troubleshooting.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ca83.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCA83 | 5212 bytes |
SHA-256: c727188203572834bdbabeb7cc6ea817d4f5c4ccb7ab5c84145b9f3196394037 |
|||
font_01_sfnt_off0000dc6c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDC6C | 10868 bytes |
SHA-256: 7a7adc43a7d4e5b0f93a1fec1402540488418515c92672694755d80dacba2528 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.