MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely intended to lead the user to a malicious site. The document body, though heavily obfuscated, contains text suggesting it is a 'reportagem de hoje' (report of today), aligning with a lure. The presence of numerous external PDF links, many pointing to static.usrfiles.com, suggests a link farm designed to obscure the ultimate destination or to spread traffic.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=gazeta+online+reportagem+de+hoje
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/96768c_5258b657516443c180c73e19d1eb6423.pdf
- https://static.usrfiles.com/ugd/15d534_d06a4e903ef84b78b8eeaa4e712c17d6.pdf
- https://static.usrfiles.com/ugd/b8c837_260a36ff4bd146d7914a3785e69143f1.pdf
- https://static.usrfiles.com/ugd/1e4819_e33cd9b36221492ab00871ec7e58b141.pdf
- https://static.usrfiles.com/ugd/d79848_36733170db4c4071a3a27e885f29ae41.pdf
- https://static.usrfiles.com/ugd/b1277d_e41eab4844844bbba78062e051d9db94.pdf
- https://static.usrfiles.com/ugd/9ff9b8_4e4303d561b34282a8e1df703ce90c1a.pdf
- https://static.usrfiles.com/ugd/d1c05f_0c805df7937c467e846678ab54af9884.pdf
- https://static.usrfiles.com/ugd/429b25_da09b658cac040fe8a1783fa5a523f0a.pdf
- https://static.usrfiles.com/ugd/cafc24_2b1ec97d53b54de0a6cec847e82e3015.pdf
- https://static.usrfiles.com/ugd/b8c837_5f7cf313d14c4353b1e5a6a49c102a40.pdf
- https://static.usrfiles.com/ugd/b8c837_dde8d2c32830414096a45273f73a64fa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004ec4.binfd1d18fbb79711c4eac361fe4f2ce5a206ae0dcae11f4be9c7f3339bb52ab8b2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4EC4 | 5352 bytes |
font_01_sfnt_off000060d7.bin3e50a3bfd3b1edf74856d22755de0a17d11486d722dee4152cae87d414f16e5c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x60D7 | 9796 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.