MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous external links, including a suspicious URL that appears to be part of a link farm designed to redirect users. The document body, though heavily obfuscated, contains text related to 'ppsspp download android', suggesting a lure for users seeking that software.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/strik?utm_term=ppsspp+download+android
- https://cdn-cms.f-static.net/uploads/4383929/normal_5fa8134f69ce4.pdf
- https://cdn-cms.f-static.net/uploads/4366957/normal_5f8787846a7a1.pdf
- https://finiluxexolije.weebly.com/uploads/1/3/1/8/131856594/2103082.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/tinajabizoreguf/nuzobigoga.pdf
- https://uploads.strikinglycdn.com/files/f107110b-320c-48c6-b4e5-3bb634e5d6b9/keketaburubife.pdf
- https://uploads.strikinglycdn.com/files/598cba16-0005-4bab-89b1-30de57508a3b/77900734404.pdf
- https://uploads.strikinglycdn.com/files/032fbdab-98ff-44f2-af10-fbd2431d0938/gabinaxuwosozalewizul.pdf
- https://uploads.strikinglycdn.com/files/b07d4d81-f49f-4b10-860f-6878d404c263/tegek.pdf
- https://uploads.strikinglycdn.com/files/a7b08886-b991-4cdd-8796-2600f3e7e2b1/code_vein_rv_mastery_items.pdf
- https://uploads.strikinglycdn.com/files/1522d57a-81d5-4fab-90de-660da91e9014/60861207789.pdf
- https://uploads.strikinglycdn.com/files/83d02224-80eb-45b2-8db3-686a36321601/investigacion_de_operaciones_taha_ejercicios_resueltos.pdf
- https://uploads.strikinglycdn.com/files/b13ee4e8-17ff-472a-8bb3-ec8d3c4604e1/54479893511.pdf
- https://uploads.strikinglycdn.com/files/ab3265f7-459a-4728-8e21-2e60df7cbba3/47709595111.pdf
- https://uploads.strikinglycdn.com/files/877d817d-46d0-437c-877f-8db92c1e12eb/poduwipagereru.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ca13.bin1be0455155ec996df443db8d502c1d84ac16317cbc6b500960f8d9171ee25490 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCA13 | 5044 bytes |
font_01_sfnt_off0000db55.bin5817c0e41db773a4f4eb8c32ea52700399a3ed38ee69895b4a237289071a5552 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDB55 | 10608 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.