MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains numerous external links, with one prominent link pointing to a suspicious domain ('traffine.ru') and another to an Amazon S3 bucket containing a PDF. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution. The presence of embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' suggest an attempt to create a link farm for SEO manipulation or to distribute further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9544
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffine.ru/aws?utm_term=cooking+academy+apk+for+pc PDF link annotation
- https://sigakoge.weebly.com/uploads/1/3/4/4/134437147/povigogine-fuwug-xoloduruzutov-datijujojuxe.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4416672/normal_5fb38dc3cf016.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/gagagakigibapo/53354068599.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/54a08d96-bcf0-4523-a34b-5ac77e609531/82899159559.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dedea5c4-c68f-4451-b914-f853dde0291c/power_of_the_cross_chords.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e3f32148-ae6a-48df-9ec6-26bb7f44a54a/58905589854.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e3756681-4359-4f1f-9749-c5da463d16db/86366182129.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cfb4ab22-5565-4b64-b78b-af7599216dd7/i_like_me_by_nancy_carlson_youtube.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0bef000b-ab1e-4904-8ab7-9756930c3985/60216903829.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/df37bbd9-ff24-4cb5-b7fe-06c75229e75c/wpf_4.5_unleashed_github.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e814e2a2-ad21-4e89-a475-8e9b2985342d/vileguroxozumajawulenek.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ba3bb060-a73e-4b95-bdd3-75350c43915b/50841712003.pdfIn PDF document text
- https://s3.amazonaws.com/kozibowisenatu/houston_rodeo_closed_2020.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b722.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB722 | 5160 bytes |
SHA-256: f1287f5415b50e54a76e09b64c118ab27d60f4305ed3d9f11aed2613e0a9d5b5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.