MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file is identified as malicious by multiple heuristics, including a critical alert for linking to known malicious redirector infrastructure and a high ML classifier score. The presence of advance-fee scam language strongly suggests a phishing attempt. The embedded URL leads to a redirector, likely serving as a lure to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cctraff.ru/strik?utm_term=98+arcade+blvd+sacramento
- https://cdn.sqhk.co/diratukuz/iMgigfP/gmail_sign_up_business_account_free.pdf
- https://cdn-cms.f-static.net/uploads/4456135/normal_5fd11691be1d3.pdf
- https://cdn.sqhk.co/vowibesep/Eicjigf/durinomejizipujugavuferu.pdf
- https://sirawomaperuli.weebly.com/uploads/1/3/1/3/131398091/buwafudo.pdf
- https://cdn-cms.f-static.net/uploads/4453537/normal_5fb7c49aea9bc.pdf
- https://cdn-cms.f-static.net/uploads/4393772/normal_5fbb37b1d3aee.pdf
- https://cdn-cms.f-static.net/uploads/4453142/normal_5fd7b30235c49.pdf
- https://cdn-cms.f-static.net/uploads/4410976/normal_5f9649e0cd002.pdf
- https://cdn-cms.f-static.net/uploads/4366625/normal_5f8751249b861.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/ladiwuzetawedi/cmi_informatique_chalon_sur_saone.pdf
- https://uploads.strikinglycdn.com/files/68295b25-1178-4de4-ae0b-f837015a5398/growling_grass_frog_distribution.pdf
- https://s3.amazonaws.com/dofufiri/solasewuzovezubikebov.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d862.binfc22954278836709e7f48845a65dabe5705810f1874d2c0eb9717dc28e43dc87 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD862 | 5540 bytes |
font_01_sfnt_off0000eb1b.bin78e94e2e47178245ca437e301e19f50dc99845ecc02da2ba30fe2b1e34051cc2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB1B | 2092 bytes |
font_02_sfnt_off0000f4c0.bin455aa5e8b088da8959589a7a6417dc2e91f50451a87e1d8f640f6098c358431a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4C0 | 10976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.