MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a large number of embedded links pointing to external PDF files hosted on various disposable domains, a common tactic for SEO manipulation or distributing malicious content. The presence of a critical PDF redirector link and ClamAV detection further supports its malicious nature. The ML classifier also flagged this PDF with high confidence.
Machine Learning
- Nyx PDF Classifier malicious score 0.9792
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/strik?utm_term=shaman%252C+healer%252C+sage
- https://gikusevenax.weebly.com/uploads/1/3/4/5/134529244/86f807c7b9.pdf
- https://sabitafev.weebly.com/uploads/1/3/4/3/134308069/rebenijivuz_napiridunitik.pdf
- https://cdn-cms.f-static.net/uploads/4403264/normal_5f92a1363d7a3.pdf
- https://bufasadapigeze.weebly.com/uploads/1/3/4/3/134307931/e2a3fc4f345379.pdf
- https://wanevowak.weebly.com/uploads/1/3/4/4/134465130/8fb1a.pdf
- https://porelananov.weebly.com/uploads/1/3/0/7/130775759/viwesavojelisikuke.pdf
- https://ginefudev.weebly.com/uploads/1/3/4/4/134454890/271353.pdf
- https://dujaporugegebo.weebly.com/uploads/1/3/4/3/134314108/wepuvawuko.pdf
- https://nolegajaji.weebly.com/uploads/1/3/4/5/134519786/1790153.pdf
- https://wubobuxidozexe.weebly.com/uploads/1/3/4/3/134322977/fovapi_pedimidus.pdf
- https://duxawedi.weebly.com/uploads/1/3/4/4/134477895/0f3a10.pdf
- https://jinerepesejo.weebly.com/uploads/1/3/4/5/134576949/lamobegutopesez-tizejiwegawoz-rixiwetife-gaponeti.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/04912f49-db7f-497c-af2d-d83ecb807fc9/linksys_e4200_firmware_upgrade.pdf
- https://uploads.strikinglycdn.com/files/3c99aafd-f4f5-4866-b191-0e1d3f8573ad/fiwaruwixajotaful.pdf
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ba52.bina4d78f5e298aee32e2cc41a1b3bfc9b06da7c020e771e2a9e0bb1b116364e064 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBA52 | 5260 bytes |
font_01_sfnt_off0000cc08.bin7249701f495273e18bcefd73ede4305e8f8bee8b7ec326055410d33bac1ef327 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCC08 | 9840 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.