MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded URLs that redirect to a link farm, with one prominent URL pointing to a redirector. The document body, though partially obfuscated, includes keywords related to free PDF downloads, suggesting a lure. The presence of embedded URLs and the nature of the heuristics indicate an attempt to redirect users to malicious or SEO-farmed content, likely as part of a phishing or malware distribution scheme.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=j2ee+complete+reference+7th+edition+pdf+free+download
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0462/6232/1301/files/fusionner_fichier_acrobat_reader.pdf
- https://cdn.shopify.com/s/files/1/0431/1482/3844/files/dudajowiwo.pdf
- https://cdn.shopify.com/s/files/1/0435/9097/5647/files/canadian_visa_application_form_cic.pdf
- https://cdn.shopify.com/s/files/1/0433/3905/5253/files/soxelowisiwir.pdf
- https://cdn.shopify.com/s/files/1/0434/4836/9319/files/doluvugotupozu.pdf
- https://static.usrfiles.com/ugd/2813e2_eaf6e8bd24e84b7ea66e3ddaea308443.pdf
- https://static.usrfiles.com/ugd/b8c837_8df28bd05ccb41a399151a157c93f8d6.pdf
- https://static.usrfiles.com/ugd/b8c837_d2e163d0ad8f4ade89c02e5fa1497de2.pdf
- https://static.usrfiles.com/ugd/0c4177_ecee3f9ee7b64f269002ff1e23f98acf.pdf
- https://static.usrfiles.com/ugd/b8c837_ada2f0721fb04a95b53db7b484ab5e3f.pdf
- https://static.usrfiles.com/ugd/ce5d00_c80c269dc4bd4cb09bf4931c131f6b28.pdf
- https://static.usrfiles.com/ugd/9e41f0_209b84411e1948dab36215a5c7a318c4.pdf
- https://static.usrfiles.com/ugd/c7ef1a_2cc3635b0bad4ddaba177f7593500477.pdf
- https://static.usrfiles.com/ugd/b8c837_dfc587d6c35a4f17877ed0369fc95c21.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008d24.bin5b555d8d452a7e97cfe2965f9bd2d82c981f2cac61b5c9ffc3bd87b6c0cbb89e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D24 | 5512 bytes |
font_01_sfnt_off00009fcb.bin7e2918fc0b1396a8288f2586597023ca2285a8ff09b56a71dfe179a04b60a37d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9FCB | 10468 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.