MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded links, many of which point to a link farm designed to redirect users to potentially malicious sites, as indicated by the 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' heuristics. The document body, though heavily obfuscated, contains URLs that are likely part of this redirection scheme. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=camel+training+manual+pdf
- http://files.eventsforyou.net/uploads/1/3/1/4/131437657/289536.pdf
- http://files.theprisonerlist.com/uploads/1/3/1/3/131382808/2c3a16da1a74cbf.pdf
- http://files.jennyscreativeedge.com/uploads/1/3/0/9/130969340/perokofawef.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0435/2566/9028/files/viveg.pdf
- https://cdn.shopify.com/s/files/1/0432/0631/2093/files/fimini.pdf
- https://cdn.shopify.com/s/files/1/0430/9948/8410/files/96599859476.pdf
- https://cdn.shopify.com/s/files/1/0427/6604/1244/files/xosimesinofidadateridomo.pdf
- https://cdn.shopify.com/s/files/1/0434/6553/9741/files/pebexivasuma.pdf
- https://cdn.shopify.com/s/files/1/0431/8085/1364/files/todijikubuxesuwepe.pdf
- https://cdn.shopify.com/s/files/1/0434/0029/8648/files/jabukipiraliroxaxuvevor.pdf
- https://cdn.shopify.com/s/files/1/0433/2807/7992/files/gubagin.pdf
- https://cdn.shopify.com/s/files/1/0429/9731/7783/files/26404161192.pdf
- https://cdn.shopify.com/s/files/1/0431/4100/5480/files/66815071183.pdf
- https://cdn.shopify.com/s/files/1/0428/2309/0343/files/english_to_gujarati_translation.pdf
- https://cdn.shopify.com/s/files/1/0430/8451/3444/files/kibakemofu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008fd5.bin70a0667f6c608e3d584d012e1db7dd108e1326a6c23aec50e1d06df7cf7d6c35 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8FD5 | 5088 bytes |
font_01_sfnt_off0000a10b.bin9c052fe0e39a84f156713a64c37b951e380ebb8bdb726ac365db6400299adda9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA10B | 10416 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.