MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document contains a link farm designed to mimic search results, directing users to a malicious redirector. The primary malicious URL identified is https://ttraff.club/wix?keyword=hindu+calendar+2019+varanasi+pdf. While no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to exploit user trust for redirection to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=hindu+calendar+2019+varanasi+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://fedorahosted.org/lohit
- https://static.usrfiles.com/ugd/b7ed05_c407f9117ab0413097cf9c01746743b8.pdf
- https://static.usrfiles.com/ugd/87d215_022e7f9e23314fc8ae74cb520d189a44.pdf
- https://static.usrfiles.com/ugd/2ca09c_f8722631ca9a4534b75425c055f2ff9c.pdf
- https://static.usrfiles.com/ugd/b8c837_8fa69218529147fcae3f294073b34b4a.pdf
- https://static.usrfiles.com/ugd/aef5b7_c3daccfd97f3420bb7517e4ec24edb0c.pdf
- https://static.usrfiles.com/ugd/b28561_6f9715b6dd974e3699ab43862cd4b1e2.pdf
- https://static.usrfiles.com/ugd/a8cc01_9abec18c2c6149f199779d7fd01f97b9.pdf
- https://cdn.shopify.com/s/files/1/0431/8606/1480/files/perorazuligivasotet.pdf
- https://cdn.shopify.com/s/files/1/0435/6990/5825/files/gamubegeresowebo.pdf
- https://cdn.shopify.com/s/files/1/0434/6891/4838/files/wasolaraw.pdf
- https://cdn.shopify.com/s/files/1/0432/6971/8182/files/pinosoda.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008a23.binc91dfa9cdc5aafffcc22977fdf596673cdafe68eda9e0ddd52f95cde191f1e55 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8A23 | 5652 bytes |
font_01_sfnt_off00009d72.bin8b022cf3042c9c8cc86fa6833007dfe9e3214e20fbe4cb467af544ebcb63b811 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9D72 | 14080 bytes |
font_02_sfnt_off0000c9b8.bin283212d7ce6eb02055805e52b0c8ccfae4f76088eca1fd12d951d667a71ed9b1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC9B8 | 10656 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.