MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous links, including one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting it is a guide for an 'interactive APK' and includes the malicious URL. This indicates an attempt to trick users into visiting a malicious site, likely for further exploitation or malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=ceneval+guia+interactiva+apk
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/804ff6_3c00264448354b8191463edfa7d58ff7.pdf
- https://static.usrfiles.com/ugd/9e14ca_b8a3a5f7d13e403389d3e69fbaec42d8.pdf
- https://static.usrfiles.com/ugd/696b8a_3b9d7b1f35e14c138205eddb3e404d59.pdf
- https://static.usrfiles.com/ugd/bb10c5_1b54770b857d46f7acfcac246c1683b7.pdf
- https://static.usrfiles.com/ugd/25c42e_8083e67f0cf84cbab04f4feb2b343f21.pdf
- https://static.usrfiles.com/ugd/0df15e_0fe582c78d034c37a03afb644938bdd3.pdf
- https://static.usrfiles.com/ugd/8b4172_d9dd77236e4c4ab28ed1490cd3be8b0a.pdf
- https://static.usrfiles.com/ugd/3b7182_55a541c34cf9464ba31ed53fe89fd910.pdf
- https://static.usrfiles.com/ugd/bca722_7b4460313cca47f698b75ae1a277c709.pdf
- https://static.usrfiles.com/ugd/296484_cfc4a5dacac04d38b4d5907dad481860.pdf
- https://cdn.shopify.com/s/files/1/0434/8392/2585/files/usps_business_change_of_address_form.pdf
- https://cdn.shopify.com/s/files/1/0452/3006/3773/files/energy_pyramid_worksheet.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000055bd.binc2276932ca5aa4077b49d97895c78ee2e6afee810043b64ce49fad0d30cdc67e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x55BD | 4952 bytes |
font_01_sfnt_off000066b3.binaf31ffb3f4343198cffc06422377f4fe5a964ed699a5904c5b60fe969728ca66 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66B3 | 15728 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.