MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a link to a known malicious redirector, disguised as a download for an ebook. The ML classifier also strongly indicated maliciousness. The embedded URLs likely lead to a second-stage payload, suggesting a downloader or dropper functionality.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/strik?keyword=agile+project+management+with+scrum+ebook+pdf+download
- https://site-1036956.mozfiles.com/files/1036956/22402201271.pdf
- https://site-1036988.mozfiles.com/files/1036988/wapuxojap.pdf
- https://site-1036960.mozfiles.com/files/1036960/28367598656.pdf
- https://site-1037884.mozfiles.com/files/1037884/540556194.pdf
- https://site-1036872.mozfiles.com/files/1036872/wojusulivarelav.pdf
- https://site-1037122.mozfiles.com/files/1037122/8568788776.pdf
- https://site-1037207.mozfiles.com/files/1037207/10000040079.pdf
- https://site-1036800.mozfiles.com/files/1036800/tusikukaxibivafafan.pdf
- https://site-1036885.mozfiles.com/files/1036885/badas.pdf
- https://site-1037022.mozfiles.com/files/1037022/nurepokejimokaviwazemase.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/2a04cdf7-f21b-419b-a480-8d34164780a5/52722133096.pdf
- https://uploads.strikinglycdn.com/files/7b3ca141-a775-43b3-ac15-4245b2c0cc4a/mireteresozise.pdf
- https://uploads.strikinglycdn.com/files/4fd92fba-a8d0-4bd1-9ad5-88201acc3f36/samosugivawaligetonasuk.pdf
- https://uploads.strikinglycdn.com/files/ab4ae65a-7fa3-4de7-ae90-5df6f30adeb2/fiwugosizuseguwuv.pdf
- https://uploads.strikinglycdn.com/files/74551529-88d8-46b1-b021-5e9e0cf9165c/muterazadewefivosun.pdf
- https://uploads.strikinglycdn.com/files/6d640f83-8233-4a00-a74e-04cd094447e5/5152535568.pdf
- https://uploads.strikinglycdn.com/files/5a1d9f8b-b343-47a2-8342-11ad13d61b2e/74042513834.pdf
- https://uploads.strikinglycdn.com/files/bea35f5e-5837-4130-832e-9e211429957c/93287530798.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005ff4.bin2bc025cda4e3bbbeabb16d5c953e8895aa0ba99ea7d128b92cd4626c34bd21b5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5FF4 | 5812 bytes |
font_01_sfnt_off00007396.binfe6544f2478a74ba02709a569aaceed14f9c7c8e388fd347cfe6fc99aca907ef |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7396 | 10208 bytes |
font_02_sfnt_off0000967c.bin9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x967C | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.