MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link, directing users to a URL associated with phishing. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, one of which is a known malicious redirector. The ML classifier also strongly flagged this PDF as malicious, and ClamAV detected it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gettraff.ru/123?utm_term=breath+of+the+wild+download+size
- https://palogipotutaz.weebly.com/uploads/1/3/2/8/132814365/7087130.pdf
- https://cdn.sqhk.co/kefexunas/ibjdmig/31911174039.pdf
- https://cdn.sqhk.co/vemikozoj/ZwMhjii/chinese_stress_balls_amazon.pdf
- https://cdn.sqhk.co/lumozupa/E0ogcnA/70574985959.pdf
- https://pufusotek.weebly.com/uploads/1/3/4/3/134376533/lunegumakazanuk.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/tuxutedi/calculator_vault_apk_old_version.pdf
- https://s3.amazonaws.com/woneketelak/aviones_militares_espaoles.pdf
- https://s3.amazonaws.com/tuxenipup/foobar2000_theme_guide.pdf
- https://uploads.strikinglycdn.com/files/48691bab-36b8-4c77-baa7-d7cd48bc0de4/bilabisumobawutifomaze.pdf
- https://uploads.strikinglycdn.com/files/1b4c3aa9-359d-46e9-8db1-9c6ca29995ec/garofuzubovurojewituse.pdf
- https://s3.amazonaws.com/nitajosasa/jalopomanakezoxo.pdf
- https://uploads.strikinglycdn.com/files/985566b0-2c6b-4353-98cc-32e02acac7a7/rudaxuzubewex.pdf
- https://s3.amazonaws.com/zoxewudunigus/resident_evil_4_mobile_mod_apk_revdl.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d9bb.bin45f4c07226e506c85a58804d7054189f6d6309f7b56ace48222e6ac843cb68bb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD9BB | 5184 bytes |
font_01_sfnt_off0000eb76.binc174bda21599b8f43462d6e8fe7eebe549e1256505387a3be262c99355414243 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB76 | 10924 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.