MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded links that redirect to known malicious infrastructure, specifically identified as a redirector for phishing. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though partially corrupted, suggests a lure related to a 'Kingspan kooltherm k108 data sheet', likely to trick users into clicking the malicious link.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/aws?utm_term=kingspan+kooltherm+k108+data+sheet In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/f07768d0-e88f-4d52-9485-c853dc0f4f89/osrs_cooking_training_profit.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc1012fe5c7695ca99c31f6/t/5fc21de1cb3e0f57719815aa/1606557154347/16991135528.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc0c6a4a87939686407af5f/t/5fc2f0434e98326c02720f7d/1606611011774/learning_teaching_jim_scrivener_vk.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcee401af5bf52c3260ae0/1606217281132/kekod.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc13cf30a2757459be51ac1/t/5fc4036bfa04221c719cc8d3/1606681452394/fumafam.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc54630e9fc3622d53ece95/t/5fc6cef6b2fa4660c8c03ae8/1606864630788/alone_season_6_cast_jordan.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc1999f5e8e827d4292cb4b/t/5fc43896173fb5383b2904ef/1606695063494/24207548261.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/720cbc6a-60f9-4064-94d3-96ee74cbb562/43114514521.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d8eb349d-cf23-4426-997e-c6d8d3e2d3d0/14838727461.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf66d93c02f22b9d058010/1606379226631/cerave_skin_renewing_gel_oil_face_moisturizer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9e393aa9-2318-4306-aaf7-c30535fffa74/17700315712.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4377fac0-abc9-454c-bd41-bc4a8dfb9d11/40441175464.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ce4096b7-908e-4bd6-9d5e-d448fa3aa6bf/tukadibipodidikumepedeg.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/70e9c6ec-eb9f-4f2b-9756-eb93007d77e1/24581402584.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/465d6e61-ba95-45b3-b35c-917c486f9455/xiwepuvufamifutus.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ae45a9b5-0e71-4c9e-9e2c-afed55ab9631/vlc_media_player_apk_download_for_pc.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000beaa.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBEAA | 5792 bytes |
SHA-256: c1a64e2acfe733836a217d7234a532493eb8ac6c579d83f5410d864b8af74402 |
|||
font_01_sfnt_off0000d23c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD23C | 10676 bytes |
SHA-256: 776d0a39806756a833892e97a35940950d51548b478f34fe5dcb4be9137137a4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.