MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a link to a known malicious redirector, suggesting an attempt to lead the user to a malicious site. The document also includes a large number of external PDF links, characteristic of SEO link farm abuse. While no scripts were extracted, the presence of a malicious redirector and the overall structure indicate a phishing or redirection attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9986
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/pify?keyword=casualty+tv+episode+guide
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_1ce3fa0bcc4a4e9384b5cdd3b24dc632.pdf
- https://static.usrfiles.com/ugd/599026_dbdc6cfb3ad74278afe548c8e9b43c0a.pdf
- https://static.usrfiles.com/ugd/b8c837_e744b3cc5f4b4944b7eb28dee483e83d.pdf
- https://static.usrfiles.com/ugd/cc14e4_c92cc4c5a091414badf3f003b5a1df9e.pdf
- https://static.usrfiles.com/ugd/b8c837_a70e80a52f3a4c23bb7641c38ced28af.pdf
- https://static.usrfiles.com/ugd/79e0dc_0f2906f1819243c5ba8bc9c11adbaf6a.pdf
- https://static.usrfiles.com/ugd/b8c837_036edfe4fecf43169e19388be727cec1.pdf
- https://cdn.shopify.com/s/files/1/0437/5989/4689/files/kilubegolapudataw.pdf
- https://cdn.shopify.com/s/files/1/0431/6073/1808/files/colorado_brand_book.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001a837.bin5d57b42e8142417bcb3afd3fa9803d6fb49dd2d17209e0f97e1831eefe8cca76 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A837 | 5096 bytes |
font_01_sfnt_off0001b9af.bin5f3ebe19896c8e2d1feef0f26201bf3223fc0aa21300066fe06f4e47a43e9205 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B9AF | 17048 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.