MALICIOUS
74
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains heuristics indicating it is a malicious SEO redirector, using an image lure to trick users into clicking a link. The primary malicious URL identified is 'https://trafftec.ru/aws?keyword=icivics+answer+key+the+great+state', which is likely used to deliver a secondary payload or conduct a phishing attack. No scripts were extracted, but the PDF structure and URL suggest a common phishing or malware distribution vector.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 3
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafftec.ru/aws?keyword=icivics+answer+key+the+great+state PDF link annotation
- https://gusumadanu.weebly.com/uploads/1/3/2/6/132695601/1145be3e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380854/normal_5f93c489b43a4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367624/normal_5f89bdaa95a81.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/b56288ab-f510-4a06-84ed-d2f277911729/namoze.pdfIn PDF document text
- https://s3.amazonaws.com/fatikonavori/magic_quadrant_for_application_security_testing.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6c254289-d59d-4803-b42a-72df8d1aa487/mamid.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ed93b14a-39fc-4294-9c74-c26fed8c9be1/49592201081.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6c5365c5-a335-4218-a22b-280db1784b95/80350981754.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3d560f95-f35f-497d-8e3e-a9e90604299b/9696359837.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c97a5d3-7ae0-4241-976b-3b36ec1011da/when_is_resident_match_day_2020.pdfIn PDF document text
- https://s3.amazonaws.com/xanebavifamopez/kowomepejugovajuwikuzuwan.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000528e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x528E | 5284 bytes |
SHA-256: 2ccf4fb16a20548f99228f7a6ce72b615d48c351012407b4c03a2bc7b9b85764 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.