MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains a large number of embedded links, many of which point to a redirector service known for malicious activity. The document body, though heavily obfuscated, includes a URL that appears to be a lure for malicious redirection. The presence of numerous external links suggests an attempt to drive traffic to potentially harmful sites, likely for phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=pokemon+battle+frontier+episode+1
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://cdn.shopify.com/s/files/1/0429/9682/6273/files/freeswitch_developer_guide.pdf
- https://cdn.shopify.com/s/files/1/0434/2956/0481/files/86740901629.pdf
- https://cdn.shopify.com/s/files/1/0437/9816/7713/files/html_caption_format.pdf
- https://static.usrfiles.com/ugd/cbe325_2343eea8236344d2adcb077cf63688a2.pdf
- https://static.usrfiles.com/ugd/defcb2_e3e80298fcef408c99698f9a182a7911.pdf
- https://static.usrfiles.com/ugd/99a8f2_2b4c31a99599480baaef58e2929a8a8e.pdf
- https://static.usrfiles.com/ugd/2a2e94_4875ce93b30d42ff88481ccaafa44b7e.pdf
- https://static.usrfiles.com/ugd/286fb8_05bbf0f9ba454b4cb8561e41e3b7b50d.pdf
- https://cdn.shopify.com/s/files/1/0432/4697/7179/files/zovoviremegotesepevob.pdf
- https://cdn.shopify.com/s/files/1/0433/1415/1589/files/11773506529.pdf
- https://cdn.shopify.com/s/files/1/0435/6653/0719/files/74497586097.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ca07.binaa155b608c12b408aa50ad8b189bd0e19a3690baea2bfecf5a22e97843987f39 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCA07 | 47772 bytes |
font_01_sfnt_off00015afc.bin51adcd81ae2b8408fa23755e84641f5326b6601dc587bf510e4ea8bef37a4e88 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15AFC | 5232 bytes |
font_02_sfnt_off00016ca3.bin2db3f85d021fc81bb83ae7b4a3d7f45aa62b4f3e1df4c66980c37cf1443acd57 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16CA3 | 10448 bytes |
font_03_sfnt_off00019062.bind1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19062 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.