MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO spamming operation. One of the embedded URLs, https://trafficel.ru/123?keyword=happy+room+hacked+arcadeprehacks, is flagged as malicious. The document's content and structure strongly indicate it's part of a phishing or malicious redirection scheme, likely intended to drive traffic to malicious sites or download further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.9994
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/123?keyword=happy+room+hacked+arcadeprehacks PDF link annotation
- https://nabesoke.weebly.com/uploads/1/3/4/0/134042749/lulewowuboje_tuvubefogogape_fisijidikoxon.pdfIn PDF document text
- https://remewizefo.weebly.com/uploads/1/3/1/8/131856163/7e3bbe9.pdfIn PDF document text
- https://nebemono.weebly.com/uploads/1/3/4/3/134331812/genesokom.pdfIn PDF document text
- https://bafuvaki.weebly.com/uploads/1/3/4/3/134336870/kitawo.pdfIn PDF document text
- https://fanawilixu.weebly.com/uploads/1/3/1/4/131408209/edcf81c600b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368781/normal_5f9d358804142.pdfIn PDF document text
- https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/4056517.pdfIn PDF document text
- https://vodipewelo.weebly.com/uploads/1/3/1/6/131637384/baf16012dcf2584.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/ff3b8c59-d868-4153-8fbf-72ce6972a52c/66559806279.pdfIn PDF document text
- https://vesituguz.files.wordpress.com/2020/11/47052364774.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a1c11591-1cf7-43b2-ac1c-702000a8711d/80228073533.pdfIn PDF document text
- https://jaxokalu.files.wordpress.com/2020/11/3174835762.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004f5a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4F5A | 4960 bytes |
SHA-256: 59d5f3ec1c2bc9f9fda0a23a44969bc3dffadf3a831fd588e4ee4fd23545bb73 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.