MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a link farm and redirects to a known malicious URL, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. Although no scripts were extracted, the embedded URLs and heuristic firings point to a malicious redirector and link farm, likely used to host or distribute further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffmen.ru/strik?utm_term=annotated+bibliography+examples+chicago+style
- https://rajaxamakato.weebly.com/uploads/1/3/2/3/132302926/43ec7e21c5.pdf
- https://rodekimixew.weebly.com/uploads/1/3/4/3/134314341/3d67a5dcaa1.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/fe38d1bb-4f33-4894-ba2b-d293affecf05/68840222596.pdf
- https://s3.amazonaws.com/fulomufimikim/minecraft_buildings_guide.pdf
- https://uploads.strikinglycdn.com/files/fcb45c06-960f-49b8-b310-cf4c898e0dbd/avabel_warrior_guide.pdf
- https://static1.squarespace.com/static/5fc66fe517e72026400ff170/t/5fd135b20e16cf6799604e5e/1607546291581/download_smurfs_bubble_story_mod_apk.pdf
- https://s3.amazonaws.com/petubapizo/23439612658.pdf
- https://uploads.strikinglycdn.com/files/085e8b57-09ae-4387-ba52-3864637f23ad/wezikatoxusevuzap.pdf
- https://s3.amazonaws.com/sakaburepagase/viber_iphone_old_version.pdf
- https://uploads.strikinglycdn.com/files/c167b6b1-ea4b-4ba1-959c-1fa6d2e3203f/muwubumulowutadubef.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c98b.bin03a3c66f8df89cd5a6418a314aec75df299272b268a93728ce6d71b31ab79e56 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC98B | 5784 bytes |
font_01_sfnt_off0000dd21.binc7385b14e83b10507033047d87c2e3a813d43114438ab64cb90f71c00a64ec92 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDD21 | 10024 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.