MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafficel.ru/strik?keyword=aprilaire+400m+installation+manual PDF link annotation
- https://risebezisenozo.weebly.com/uploads/1/3/4/3/134375164/girirurofup.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/53755d7d-172a-450a-a2ea-dbb51a3a476f/jotivonikemibe.pdfIn PDF document text
- https://s3.amazonaws.com/sojaxub/65943638939.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/413b76e8-b773-4874-9f36-cef634aaa0c9/59477625583.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/de25902e-bd7b-449a-80b5-5f25b28ebb2b/vehicle_modification_station_fragments.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/719d085e-c505-4262-9bc5-d4bc65a90200/free_cvc_words_worksheets.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cd72fc9a-a0e9-463e-831f-0517b80af8b1/36455018291.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/917e67f4-4f3e-4f34-93f3-1dd299741575/curious_george_full_episodes_pbs.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fa7141ef-136a-41d3-ad68-dbaea90b3913/lapuda.pdfIn PDF document text
- https://s3.amazonaws.com/rubidokezive/86250325313.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c0f7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC0F7 | 5184 bytes |
SHA-256: 233b2bfc2fec4e0b1b3efd9a2479b497b309c9a4148737c9782d9f27454fae6a |
|||
font_01_sfnt_off0000d280.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD280 | 10932 bytes |
SHA-256: 67ec5f703e22f1a6a92bf0cb8c7159aec8a2ae68428718e89d257bbdcb61b915 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.