MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a direct link to a known malicious redirector, which is designed to lure users with promises of game hacks. The ML classifier strongly flagged this PDF as malicious, and the presence of a link farm further supports a malicious intent. The document body, though heavily obfuscated, contains the URL used in the lure.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=bubble+witch+saga+3+hack+online
- https://5b6249cf-c903-48f4-8773-c2d4f6499258.filesusr.com/ugd/de3d83_3452fda8a5f449cca404440acc5504b0.pdf?index=true
- https://266f3427-07fd-4eeb-aae3-07063d69f984.filesusr.com/ugd/7603ae_25bdb67505c04a7281324621837d12d3.pdf?index=true
- https://946f2e35-840f-4a92-a616-d53b88d402fc.filesusr.com/ugd/0df15e_eb2aa79c371c4fb08f02770d4f7adb32.pdf?index=true
- https://f95b338f-55ce-4522-91f5-ce8b02dba5fe.filesusr.com/ugd/91e123_bb3639cf5b96421a945781d6de0a67c9.pdf?index=true
- https://972caf21-bbab-460e-9b47-8955101791c9.filesusr.com/ugd/8d5d69_c7535803ee244a61ae6471d5815ac46a.pdf?index=true
- https://2302f94a-33a9-42b2-a2fc-d55ec16c5ccf.filesusr.com/ugd/89064d_c098c4c494a14cfa9d73f2f6fd4a6b53.pdf?index=true
- https://cdn.shopify.com/s/files/1/0435/5181/7879/files/88089736014.pdf
- https://cdn.shopify.com/s/files/1/0430/6108/4322/files/arabic_alphabet_chart_with_pictures.pdf
- https://86ca6945-c8bf-45e0-a7eb-6258815225f9.filesusr.com/ugd/1c8c1e_2d7d0b51130145bf85833f02e3a91eb7.pdf?index=true
- https://62e6eb5c-9ffa-4bec-ad60-0fa08ccd2b21.filesusr.com/ugd/3c9ac1_f58dcb7611b943dc8617ba3c33ce7094.pdf?index=true
- https://1374a94f-77d9-4514-b155-1300c342f26a.filesusr.com/ugd/7a359d_c54df5b6859c44d4a21e7de07918701f.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000068c1.bin944298905b48fbf38a28a2c502b9f0fd9899fd8b369aa8b71a7c36cf1b7b3574 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x68C1 | 5476 bytes |
font_01_sfnt_off00007b7b.bin5dbc50ce0cbc15ba93a3fc1a6a852f4308d48767b10ff40ae6e04ec4f7e8a10d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7B7B | 10584 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.