MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a link to a redirector service, which is a common tactic for distributing malware or leading users to phishing sites. The document body, though heavily obfuscated, contains text related to a product manual, suggesting a lure to encourage clicks. The presence of numerous external links, many pointing to Shopify, indicates a link farm or content stuffing technique to obscure the malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=slinglink+turbo+w1+sl300-100+manual
- http://gamutilu.berefresh.com/uploads/1/3/1/4/131483254/f3892b78c5fdc.pdf
- http://qwz.cloudz.pw/download?file=slinglink+turbo+w1+sl3
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0437/8460/1752/files/nowawuxafidodu.pdf
- https://cdn.shopify.com/s/files/1/0432/8180/9558/files/galafanuwik.pdf
- https://cdn.shopify.com/s/files/1/0435/5588/1111/files/xamotafebofilesufusake.pdf
- https://cdn.shopify.com/s/files/1/0429/6422/2101/files/what_is_the_square_root_of_35.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/68513135127.pdf
- https://cdn.shopify.com/s/files/1/0437/2643/8550/files/jitujuvisekolugewolisef.pdf
- https://cdn.shopify.com/s/files/1/0431/2216/3876/files/23505059073.pdf
- https://cdn.shopify.com/s/files/1/0437/6294/2101/files/rugazexeropixijedonutuba.pdf
- https://cdn.shopify.com/s/files/1/0452/4238/4545/files/issuu_download_online.pdf
- https://cdn.shopify.com/s/files/1/0438/4364/9698/files/humoral_and_cell_mediated_immunity.pdf
- https://cdn.shopify.com/s/files/1/0429/3761/4499/files/hotel_business_plan_in_kenya.pdf
- https://cdn.shopify.com/s/files/1/0438/2910/0701/files/miporilanojo.pdf
- https://cdn.shopify.com/s/files/1/0428/3020/0991/files/volcanoes_earth_shattering_news_reading_passage_answer.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005a19.bind4bb5d1977fd4c485af59dc625e821f81a12a2476694f078738b1a1111c12cd1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5A19 | 5792 bytes |
font_01_sfnt_off00006dd2.bin90bad339f28745c120d6993272a19242c5aa92ed5e38a894271b75e0f0b03cb6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6DD2 | 10836 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.