MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a link farm and a redirector to a known malicious URL, indicating a phishing or malware distribution attempt. The document body itself is heavily obfuscated but contains the primary malicious URL, suggesting the intent is to redirect the user to a site that likely hosts further malicious content or attempts to phish credentials. The ML classifier strongly supports the malicious verdict.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=consumer+credit+risk+management+pdf
- http://files.acollinsedu.com/uploads/1/3/1/3/131384127/2fec1.pdf
- http://files.rosieraestoffee.com/uploads/1/3/1/6/131606291/dowir.pdf
- http://files.reusinbysusan.com/uploads/1/3/0/7/130775784/vejuwekikezuke.pdf
- https://cdn.shopify.com/s/files/1/0435/1816/5144/files/36401077031.pdf
- https://cdn.shopify.com/s/files/1/0429/3240/4380/files/wupawalevuketaradixak.pdf
- https://cdn.shopify.com/s/files/1/0438/8667/4088/files/bobumibawisasuniwitasivus.pdf
- https://cdn.shopify.com/s/files/1/0430/0773/8019/files/verizon_extended_network.pdf
- https://cdn.shopify.com/s/files/1/0427/4572/5094/files/google_chrome_terbaru_full_version.pdf
- https://cdn.shopify.com/s/files/1/0437/5497/9477/files/11239218903.pdf
- https://cdn.shopify.com/s/files/1/0463/0839/3122/files/delomonovifurid.pdf
- https://cdn.shopify.com/s/files/1/0432/5743/0176/files/kadurevupa.pdf
- https://cdn.shopify.com/s/files/1/0437/9095/8749/files/43603034081.pdf
- https://cdn.shopify.com/s/files/1/0434/6360/6429/files/4363905957.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005c3b.binfc718ae432f7d441d8d9ca0714270a26f842c0cbc2bd8b4c845404198aa47fbb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C3B | 5412 bytes |
font_01_sfnt_off00006e8d.bin06e3d557c8f7fdd70d0d0fb809cbc13c74c454b8c301a6a63a06695356bda88a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E8D | 10084 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.