MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains a large number of external links, many pointing to other PDFs, suggesting a link farm or distribution network. The document body, though heavily obfuscated, contains text related to 'Ezgo marathon manual' and authoring application details, likely a lure to direct users to the malicious URLs.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffi.ru/123?utm_term=ezgo+marathon+manual PDF link annotation
- https://cdn-cms.f-static.net/uploads/4375522/normal_5fbbb49a48141.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4465003/normal_5fb3ec4301cb0.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4421461/normal_5fc510bc3e8f7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415070/normal_5fc151c64cba3.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4366369/normal_5fcb647f97d37.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454681/normal_5fbe61ddba8ac.pdfIn PDF document text
- https://voxapinave.weebly.com/uploads/1/3/2/7/132740917/1888046.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/bomupi/love_battle_hollywood_movie.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbdf1d2bc819f1cf49da136/1606283730324/modern_marvels_cheese_worksheet_answers.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc016b9c30a162e0c4e17a3/t/5fc15da47acac6192af3cfbf/1606507940506/worksheet_on_dna_rna_and_protein_synthesis_answer_key.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc587e7affbf90a6609e8ed/t/5fd1b2bece71ee580fa93b16/1607578302985/86572473861.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbffb205e8e827d4288adb3/t/5fc25f3d9d79364840da792c/1606573885727/kill_phil_free.pdfIn PDF document text
- https://static1.squarespace.com/static/5fdcb8173599a867de449200/t/5fdcf8d2bc0c2b25c5aa4e35/1608317140135/jajili.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc0e0f3f7cf8c75402ad020/t/5fc554f861e25426e1e8f78b/1606767865552/dirt_devil_breeze_instruction_manual.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b762.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB762 | 4928 bytes |
SHA-256: 5ecd0ead5efe911fce55aa0ac442125d6059c733783927e875f058c1768c80bb |
|||
font_01_sfnt_off0000c804.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC804 | 10232 bytes |
SHA-256: e7d11eaa5fca1cd42c46a528cbd6d3abe71da3eef9a8c64b559b35ea0f2e5346 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.