MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous links to external websites, with at least two identified as malicious redirectors or part of a link farm. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and ML classification further supports malicious intent. The document body, though heavily obfuscated, contains strings related to 'Discord private message bot' and 'wkhtmltopdf', suggesting a potential lure or tool used in the attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9095
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cctraff.ru/strik?utm_term=discord+private+message+bot
- https://bavejojonosepes.weebly.com/uploads/1/3/1/3/131380601/6768121.pdf
- https://kofovozeregom.weebly.com/uploads/1/3/4/3/134313602/furapizusuxoj.pdf
- https://kodopagedo.weebly.com/uploads/1/3/4/3/134350575/0bb68bfa408f.pdf
- https://sagogekur.weebly.com/uploads/1/3/4/4/134469423/337b2b1a0e58f.pdf
- https://cdn-cms.f-static.net/uploads/4367286/normal_5fa176b45f99f.pdf
- https://gepopoxano.weebly.com/uploads/1/3/4/6/134663556/xodosevemazupumaga.pdf
- https://cdn-cms.f-static.net/uploads/4473656/normal_5fa89dc75eda8.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/376466b0-f70e-418f-9fa3-6fcb68be2dca/everfi_credit_scores_answers_quizlet.pdf
- https://uploads.strikinglycdn.com/files/ef99fde7-0495-4c44-9e28-4d9e37dab9f7/30408707320.pdf
- https://s3.amazonaws.com/sinamozagemoger/html5_bootstrap_template_login.pdf
- https://s3.amazonaws.com/pusixa/piano_sheet_music_funeral_for_a_friend.pdf
- https://s3.amazonaws.com/jezekemunidup/pokugulobebigagufemisejoz.pdf
- https://s3.amazonaws.com/bufipevuril/sales_executive_resume_templates.pdf
- http://scripts.sil.org/OFL
- http://sinhala.sourceforge.net/
- http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
- http://www.gnu.org/licenses/gpl-2.0.html
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00016555.bina1f9c892ddb5930226eba8a9f2e7236635ab4dc9b30d29d5dd5e4b00ec794f4f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16555 | 5560 bytes |
font_01_sfnt_off000177ed.bind72d5f12e7a7b739f096302857439d7bff2ce5cc4fa4828c6501621ccb47a5c4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x177ED | 2868 bytes |
font_02_sfnt_off000182ec.bin512e587ad5043e94f212ed0f6378c678c1087f84c03fa61c66b3675262c5d471 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x182EC | 3940 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.