MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a significant number of embedded URLs, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting a link farm or redirection scheme. While no scripts were extracted, the presence of a malicious redirector and numerous external links points to an attempt to lure users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/pify?keyword=06+mustang+gt+auto+to+manual+swap
- http://lemevi.freebackgroundphotos.com/uploads/1/3/1/4/131407668/820924.pdf
- http://wafirevot.fiveboroughbucketlist.com/uploads/1/3/2/8/132814742/1376973.pdf
- http://fuzobufes.timsteigenga.com/uploads/1/3/1/3/131398455/7591684.pdf
- http://files.rcgswi.org/uploads/1/3/0/7/130738534/ddbd02.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_09965cc0bac748d0a6ba1edf743a910a.pdf
- https://static.usrfiles.com/ugd/4bb894_0397f7a8ff944580b65f09cb4005e16d.pdf
- https://static.usrfiles.com/ugd/aff7ca_6c2db8709a55419391322ed9ab4b083c.pdf
- https://static.usrfiles.com/ugd/d1c05f_8af45caacbf144278b1dcaf3dc126f20.pdf
- https://static.usrfiles.com/ugd/76aeb6_b272e88c09a34320a8b00485429095cc.pdf
- https://static.usrfiles.com/ugd/b8c837_3b108d09a0114a81aec1da4e4a13d027.pdf
- https://static.usrfiles.com/ugd/22739b_6652fb0253a044b08217aed4bd0afeab.pdf
- https://static.usrfiles.com/ugd/01d500_9f5f1239bcca4d7585a3f23a2c87d9a5.pdf
- https://static.usrfiles.com/ugd/d31907_0606a13705bc46999a995a872a32a453.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006cf3.bin64d7287944cb5f184548895c68ce3ae9a0b2d66b0830813cd4ea1f4f92ccf3cc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CF3 | 5336 bytes |
font_01_sfnt_off00007f20.binfb3fa2791d017f818dc605920ddca0ad15bae19eab1a50bce83cdbe72b00be78 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F20 | 10504 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.