MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'traffmen.ru'. This URL is likely used to redirect users to a malicious site for phishing or malware delivery. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of a malicious URL in a PDF document suggests an attempt to trick the user into clicking it.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffmen.ru/aws?utm_term=asp.+net+gridview+css+templates+free In PDF document text
- https://cdn-cms.f-static.net/uploads/4409258/normal_5f9dfbe7e3f7c.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4387219/normal_5fcf7770d8ab1.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/a7f2ee19-205b-48c3-954c-9fecde3f796d/csumoodle_remote_learner_net.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/26fb8d6e-a191-4d35-a057-b8298842dc26/85767594895.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/23ca22c4-ae7c-4070-acae-0a7ab6dbed3f/kakig.pdfIn PDF document text
- https://s3.amazonaws.com/tobaziw/lamagojowo.pdfIn PDF document text
- https://s3.amazonaws.com/daraniwekamidir/tusikoxagunuwoz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8db17080-dfbe-48e6-9d7b-b16d21684621/68681464229.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/62b44005-1b30-4761-be94-d64086048d30/1003108018.pdfIn PDF document text
- https://s3.amazonaws.com/duzexefemosaxe/kotalitibexa.pdfIn PDF document text
- https://s3.amazonaws.com/susonanezaj/certificate_of_completion_form_p1e.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c40a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC40A | 5648 bytes |
SHA-256: 4f1ed6ef9d766ee71b3ee23794148701e4d357e985b04e4d3debf6e9b7901341 |
|||
font_01_sfnt_off0000d74a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD74A | 11832 bytes |
SHA-256: 120396d1b022c5ee5dfc9dae7228440f0b92becac8562a89f242d4bdec26a70c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.