MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' suggests the document is designed to host numerous external links, likely to phishing sites or further malware. The embedded URL 'https://traffnew.ru/aws?utm_term=css+grid-+template-+columns+fr' is part of this link farm, potentially serving as a lure or redirector.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffnew.ru/aws?utm_term=css+grid-+template-+columns+fr
- https://static.s123-cdn-static.com/uploads/4455178/normal_5fe0c3003c5bc.pdf
- https://lodirunesu.weebly.com/uploads/1/3/0/8/130874391/9225f5590a2.pdf
- https://static.s123-cdn-static.com/uploads/4417645/normal_5fdfa06639546.pdf
- https://cdn-cms.f-static.net/uploads/4475216/normal_5fb7d6437e88e.pdf
- https://cdn-cms.f-static.net/uploads/4372955/normal_5f89ff86be712.pdf
- https://cdn-cms.f-static.net/uploads/4478134/normal_5fb2df0fdada8.pdf
- https://cdn-cms.f-static.net/uploads/4407060/normal_5fdbbfa7f1df3.pdf
- https://static.s123-cdn-static.com/uploads/4458421/normal_5fecd5b282cfe.pdf
- https://cdn-cms.f-static.net/uploads/4408983/normal_5f93852a754d9.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://s3.amazonaws.com/jepavilutabilel/database_administrator_interview_questions.pdf
- https://s3.amazonaws.com/nevowimo/lixawitumapuwozawadexena.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cbcd.binbb99fa0aaa8dd1fbc7d2b994d53fd752a680e50ba46eea670d64842508cab23f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCBCD | 16592 bytes |
font_01_sfnt_off0000fe2a.binb8417d30bed392a258b2b434dd9fb7196f3eed47b0a4450c15ac651bbefbf6b4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE2A | 5412 bytes |
font_02_sfnt_off0001107e.bin0d57e44021b7a2ea2fa1065f29b68792539fe3349ff30654e5e4403dc68e370f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1107E | 11204 bytes |
font_03_sfnt_off000136d3.bina542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x136D3 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.