MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a heuristic firing for PDF_SEO_LINK_FARM, indicating it hosts a large number of external links. One of these links, https://trafficel.ru/aws?keyword=comcast+augusta+tv+guide, appears to be a lure. The presence of multiple external PDF links suggests a phishing or content-farming attempt. While no scripts were explicitly extracted, the PDF structure and link farm heuristic point towards a malicious intent to redirect users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/aws?keyword=comcast+augusta+tv+guide
- https://pegepefip.weebly.com/uploads/1/3/4/4/134455730/7646413.pdf
- https://cdn-cms.f-static.net/uploads/4470029/normal_5fa3e5ef7c780.pdf
- https://fimuxexepal.weebly.com/uploads/1/3/4/6/134615427/sawaso.pdf
- https://gogipemefa.weebly.com/uploads/1/3/4/4/134471158/wulej_nizufezesoto_mobovutop.pdf
- https://cdn-cms.f-static.net/uploads/4368235/normal_5f947b9e608f5.pdf
- https://nagafibujur.weebly.com/uploads/1/3/4/5/134514283/boninebigugugetuditu.pdf
- https://cdn-cms.f-static.net/uploads/4377114/normal_5f8a0758dadc3.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/jamokaroxoj/roblox_2007_download.pdf
- https://s3.amazonaws.com/kagedatabujo/centralia_city_schools_district_135.pdf
- https://s3.amazonaws.com/jumedemimo/lullaby_of_birdland_cm.pdf
- https://s3.amazonaws.com/vigevot/butcher_block_dining_table_set.pdf
- https://s3.amazonaws.com/nokiva/tazuderuboxigaxa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e726.bin83843fffef599d85c9f3a9079b487555d0d5a29ddf29966dc2316958ce9fb16d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE726 | 5096 bytes |
font_01_sfnt_off0000f86f.bin2f160aac6d82ddbf0e18d3a89403d9c15fff30ebb19887806c26273ff86f427d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF86F | 11532 bytes |
font_02_sfnt_off00011e83.bin5bfda07072dd2e1b0df7f1680a75ba616774ec51e1a09c257f000ba239241e1c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11E83 | 16140 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.