MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a link to a known malicious redirector, disguised with a seemingly innocuous keyword. The document body itself is heavily obfuscated but contains the malicious URL and numerous other links, suggesting a link farm or redirection scheme. The ML classifier strongly indicates maliciousness, and the presence of embedded URLs points towards a phishing or redirection attack.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=synonyms+worksheet+for+high+school+pdf
- http://files.mar-pascual.com/uploads/1/3/2/6/132683328/vuwevasifupuva-jetozoxaja.pdf
- http://files.vivafitnessshepperton.co.uk/uploads/1/3/0/7/130775934/zokatu.pdf
- http://files.thrivewlb.com/uploads/1/3/2/3/132303337/lifizisukogonovax.pdf
- http://fegoxe.dhammaforeveryone.com/uploads/1/3/1/8/131857419/nimos.pdf
- http://files.intothewildlife.org/uploads/1/3/1/3/131379060/dotukoretam.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0432/5516/9182/files/74797312814.pdf
- https://cdn.shopify.com/s/files/1/0438/9984/6824/files/pewapabiwezekefuvisozavi.pdf
- https://cdn.shopify.com/s/files/1/0429/6730/2295/files/79006982037.pdf
- https://cdn.shopify.com/s/files/1/0432/9806/2501/files/engineering_materials_1_michael_f_ashby.pdf
- https://cdn.shopify.com/s/files/1/0437/7152/7325/files/naxukowozuwa.pdf
- https://cdn.shopify.com/s/files/1/0435/2661/9288/files/fatebenefupipanixebepa.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vawis.pdf
- https://cdn.shopify.com/s/files/1/0437/7149/4554/files/denadarupekawimuwakodi.pdf
- https://cdn.shopify.com/s/files/1/0439/4234/6907/files/pitinekig.pdf
- https://cdn.shopify.com/s/files/1/0429/7195/5351/files/17124859800.pdf
- https://cdn.shopify.com/s/files/1/0431/7757/4562/files/31699556914.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006656.bin2020426a8ea483a3bfbb3bcdc19c59708cadd1e24922f30db633087c280c7f5e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6656 | 5720 bytes |
font_01_sfnt_off000079c6.bind8271db3e800d64c133e7e635dd3c6f60ace5851cbf3557dc40b6cff06da6744 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x79C6 | 10220 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.