MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a significant number of embedded URLs, with one identified as a known malicious redirector. The document body, though heavily obfuscated, contains references to the malicious URL and other benign-looking URLs hosted on static.usrfiles.com. The presence of a large link farm and a critical heuristic firing for malicious redirectors strongly suggests a phishing or redirection attack. No scripts were extracted, limiting the analysis of specific execution behaviors.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=sharron+art+center
- https://static.usrfiles.com/ugd/4dd980_55ff2a86aaf94d3b879f3bfe7066f692.pdf
- https://static.usrfiles.com/ugd/b8c837_93879a5317f44462a68c02a82ce7a5da.pdf
- https://static.usrfiles.com/ugd/2f3ac6_7cc66a505a0a4f85a4a2bbb148d7a5ee.pdf
- https://static.usrfiles.com/ugd/b8c837_60f6ca8c0a3c476386ae334300d93b9f.pdf
- https://static.usrfiles.com/ugd/493135_bc29a2a27d31411d8492cf40a9cac4cf.pdf
- https://static.usrfiles.com/ugd/b8c837_9f72ec573f884ae893bda899ac3d085f.pdf
- https://static.usrfiles.com/ugd/99965f_12b32b62fec144368b5daf9ccb545d32.pdf
- https://static.usrfiles.com/ugd/510a18_0d479c87ed434ed6a84744c37150bdab.pdf
- https://static.usrfiles.com/ugd/fb5067_743da619835e45858f4d4f1096b2cc80.pdf
- https://cdn.shopify.com/s/files/1/0431/0423/9783/files/95784614118.pdf
- https://cdn.shopify.com/s/files/1/0433/1061/2635/files/desij.pdf
- https://cdn.shopify.com/s/files/1/0435/2458/7679/files/safuverojisi.pdf
- https://cdn.shopify.com/s/files/1/0430/8071/2346/files/77578939421.pdf
- https://cdn.shopify.com/s/files/1/0430/2677/6227/files/xibovisidokifamit.pdf
- https://cdn.shopify.com/s/files/1/0437/1228/2789/files/soxonapabubusogano.pdf
- https://cdn.shopify.com/s/files/1/0431/0823/7473/files/decimal_multiplication_worksheets.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000046a9.binc13a10ef36b6ff0c7a46c2587bbffb410dc2aefe90f5907c9ea555ca7a111a5b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x46A9 | 4780 bytes |
font_01_sfnt_off000056d5.bin5cd594b51fb439f139f9fcba817df77e16480ef4284408958681c3ac48556eaa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x56D5 | 9480 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.