MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded external links, a common tactic for phishing or directing users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URIs suggest an attempt to exploit users through deceptive links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://trafffe.ru/123?utm_term=nispom+manual+2016
- https://mupibidegupek.weebly.com/uploads/1/3/0/8/130874042/xatuxuz.pdf
- https://zoxamadafipezo.weebly.com/uploads/1/3/1/1/131164297/sagujesopadoponel.pdf
- https://refanoripusegu.weebly.com/uploads/1/3/4/3/134306014/db204.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/zarusegibitumet/sorry_sorry_answer_lyrics.pdf
- https://s3.amazonaws.com/mejigavukolu/96316041594.pdf
- https://s3.amazonaws.com/dukexajuj/the_ace_family_basketball_charity_event_2019.pdf
- https://s3.amazonaws.com/fasanag/wadizumasotisejejisowuwa.pdf
- https://s3.amazonaws.com/sevoga/php_contact_form_template_free.pdf
- https://s3.amazonaws.com/tomaxade/uttrakhand_govt_jobs_2018_2019.pdf
- https://s3.amazonaws.com/guwutivupudutu/67635189203.pdf
- https://uploads.strikinglycdn.com/files/af294e59-1180-43d8-82bf-f59da0775e04/bivixazajatusorififipaga.pdf
- https://s3.amazonaws.com/jolufozo/88090973702.pdf
- https://s3.amazonaws.com/kepevipawit/gta_sa_free_apk_for_pc.pdf
- https://s3.amazonaws.com/pibajuwi/65813975984.pdf
- https://uploads.strikinglycdn.com/files/e8dd3840-17eb-42d1-bd3c-495c0ed8c6a3/fuvotasuxexolarob.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b67d.bin6c5d01e6ed05a0070fd6d64ec312fda6253ce5743bfbc610d1bdc11aea8d8d5f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB67D | 5316 bytes |
font_01_sfnt_off0000c886.bin20eae835abd04bc920b5642391c4b9cb232c3ce35f285f64c0bef88b37a0e3f7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC886 | 9556 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.