MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. One of the primary external URIs points to 'trafftec.ru', which is likely part of a phishing or malicious redirection scheme. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafftec.ru/aws?utm_term=chrome+extensions+adblock+android
- https://mumerigowijegap.weebly.com/uploads/1/3/4/7/134771458/2768671.pdf
- https://nugaginidej.weebly.com/uploads/1/3/4/4/134475369/037b7c2960b255.pdf
- https://xonimitofowe.weebly.com/uploads/1/3/2/6/132682232/9013956.pdf
- https://zafapajesat.weebly.com/uploads/1/3/0/7/130740498/4256235.pdf
- https://gugimamerid.weebly.com/uploads/1/3/4/6/134606591/8867273.pdf
- https://tixovokibena.weebly.com/uploads/1/3/4/1/134109053/jijibigeko.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc6f864d2523e4b70bf1a10/t/5fceaea07bca2b4c4f2e721b/1607380641283/paboneseramiret.pdf
- https://static1.squarespace.com/static/5fcf5a13cd9942793f279433/t/5fd61ee8ab1a676c7285da9f/1607868136637/jevixekof.pdf
- https://static1.squarespace.com/static/5fc27b6fdf132613bbc7a91a/t/5fc3d09ce6d49a06bb071d16/1606668445074/rockler_t_track_table.pdf
- https://uploads.strikinglycdn.com/files/a153ba80-9b4a-4615-9bd2-9bdf8fe4e021/statsictics_2015_mc_secure_exam_40_questions_answers.pdf
- https://uploads.strikinglycdn.com/files/6e2926f9-0587-4c27-9df5-d651f51bfc37/monster_graphic_novel.pdf
- https://uploads.strikinglycdn.com/files/eebef3fd-3f98-4d9a-934a-8b5fd555f0ac/61590072156.pdf
- https://uploads.strikinglycdn.com/files/c19ee5b1-e1ee-4cdc-92e0-1b999a67f39a/vinitefase.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cfdf.binfc42c26bd35d081edfab1c38f5e0ececceba98013d6acb612984367c1b02908c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCFDF | 5356 bytes |
font_01_sfnt_off0000e1de.bin88fae143143416392661fcb7e2fdd81a0ba850c73dd706aafaf23d02ffbc3de2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE1DE | 10224 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.