MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a lure related to the video game 'Kingdom Come Deliverance' and embeds a link that redirects to a known malicious URL. This suggests a phishing or scam attempt designed to redirect users to potentially harmful content. The PDF also contains a large number of links to other PDFs, indicating a link farm, likely for SEO manipulation or to host further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=kingdom+come+deliverance+how+to+get+money
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/451461_099b4d3ab17c46048e118d076801278a.pdf
- https://static.usrfiles.com/ugd/b8c837_8647b3c843e949dc9afb1a4109e3314e.pdf
- https://static.usrfiles.com/ugd/b8c837_32f73daafee8453a929d6bc293af174e.pdf
- https://static.usrfiles.com/ugd/b8c837_e6b09d0ef47d445bb7a58f12c76a5975.pdf
- https://cdn.shopify.com/s/files/1/0436/8941/0713/files/72792093713.pdf
- https://cdn.shopify.com/s/files/1/0429/1392/3228/files/orbital_gateway_login.pdf
- https://cdn.shopify.com/s/files/1/0429/0225/7823/files/top_100_songs_of_1968.pdf
- https://static.usrfiles.com/ugd/33ab24_d3eb246c2836499280add3ff553b694b.pdf
- https://static.usrfiles.com/ugd/b8c837_832aecef188b4b538cd4dcace800634b.pdf
- https://static.usrfiles.com/ugd/510a18_97b9f7c3bd044283a5290bc0a96b6a89.pdf
- https://static.usrfiles.com/ugd/b8c837_d2e4ea4c537e4aed807f9165405a8193.pdf
- https://static.usrfiles.com/ugd/b8c837_e62cfd464b1a416fb85931d185a71ad7.pdf
- https://static.usrfiles.com/ugd/ace02d_1fcfe15b6e664bf2b19487c2ebd6f144.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000064a1.bin7c60688fad156f625ad942f74b0c9e7ba866e5a863c511ccae1ac4b98ca73580 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64A1 | 5396 bytes |
font_01_sfnt_off000076de.bin57c4059d2d596218e5672aae136ed60a00d83df1fcfa6c05fee6dc76559abe3a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76DE | 10388 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.