MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded links, including one pointing to a known malicious redirector (ttraff.cc). The document body, though heavily obfuscated, contains text suggesting it is a 'definitive guide to dax pdf', a common lure for phishing or malware delivery. The presence of many external PDF links further indicates a link farm or SEO manipulation tactic, likely to obscure the malicious redirector.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=the+definitive+guide+to+dax+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/3b47cb_1f1a01bd602b4b0d927d5bc4da9846eb.pdf
- https://static.usrfiles.com/ugd/b8c837_5c3f0db402aa4661add6d593c1d3be1b.pdf
- https://static.usrfiles.com/ugd/704566_756e3d9e94274fbfb4cc6fafd9af89d8.pdf
- https://static.usrfiles.com/ugd/696117_9b6b80f381dd49c19a79586d8190101a.pdf
- https://static.usrfiles.com/ugd/ac51ce_eccd2ee255e543a0bed4603460c547e9.pdf
- https://static.usrfiles.com/ugd/07625c_6cf6238411944a43ac287feb8b547324.pdf
- https://static.usrfiles.com/ugd/2274a7_086c6b972b784391b8204229f2a4309b.pdf
- https://static.usrfiles.com/ugd/5af86b_655a7c2f0ceb4ac29abe0d378a04deea.pdf
- https://static.usrfiles.com/ugd/0d9a50_39e3d8daaa1d4a07b5cc9972cb22de22.pdf
- https://static.usrfiles.com/ugd/b8c837_84ffaf7a36a94757a98a5ce6466eac04.pdf
- https://static.usrfiles.com/ugd/aff7ca_88278e879df54354ae098a195d37f9bf.pdf
- https://static.usrfiles.com/ugd/b8c837_ab1ce2e910374072bfb857a175e262b6.pdf
- https://static.usrfiles.com/ugd/12daa7_da21a08c322b411f8080c55d272800c7.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004921.bin3fc6e5a448d32aa8f7aa8b03c953a9044358b3a65df128e276764be5eb77df9f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4921 | 5076 bytes |
font_01_sfnt_off00005a72.bin294c05705b7b97c7bba79911d0e1248a222085dacc85de486188fdf70bf74ffd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5A72 | 10664 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.