MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a large number of external links, many hosted on disposable domains, indicating a link farm designed to distribute traffic. One critical heuristic identified a link to a known malicious redirector, suggesting the primary purpose is to lead users to malicious content. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/pify?keyword=how+to+eat+fried+worms+cast In PDF document text
- https://mipirizu.weebly.com/uploads/1/3/2/6/132682564/balajasutur.pdfIn PDF document text
- https://pexazunawilaga.weebly.com/uploads/1/3/4/2/134265520/0a4b74f49a44d.pdfIn PDF document text
- https://jawowigo.weebly.com/uploads/1/3/0/7/130774982/lebetise-letefivex-jamolojosataxuz.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379961/normal_5f9635962b768.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4371248/normal_5f897e65c7878.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367625/normal_5f91e5d2e161b.pdfIn PDF document text
- https://lodirunesu.weebly.com/uploads/1/3/0/8/130874391/nizixexapok.pdfIn PDF document text
- https://vunixumo.weebly.com/uploads/1/3/1/4/131453253/butezodufigejitila.pdfIn PDF document text
- https://lebuwaner.weebly.com/uploads/1/3/4/4/134478239/bujegiz.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/e2dcb0da-0a58-4d4e-8a3a-bfe2e636e5fc/46233893177.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c0520bb3-b332-4525-998e-d4384caf804d/50320069389.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b87b1500-31c4-4240-885e-cc06b266c626/lomiwoli.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b693d58-073f-41c1-b592-c2847d6cff87/kujenufuwejojurowinaj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/08bf4e87-ac78-44b5-bf82-ca780d54625c/26534574203.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0431/4621/5584/files/kalidasitemikelatejajekir.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0484/3821/4810/files/ftp_server_download_for_android.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/59e17fce-7ea9-4322-bd08-861a336c2ed8/jorge_volpi_una_novela_criminal.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/19103f31-79df-40e9-b1bb-f3ccdc591544/liderazgo_situacional_de_hersey_y_blanchard.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b7fed735-845f-4954-a4f4-cab1709918b9/kutesubuvuvexage.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f9c3a81e-a62c-4348-8e81-5860b887b857/zulerepobufajolupegowil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/dfaafc0b-e739-41f5-a38b-b965e7f31b90/87362582984.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000076f8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76F8 | 5188 bytes |
SHA-256: 4274f26a5fadfae2aeebb26788fa7d4eee40a9ab0b1985bc77af4bcb005ec0c0 |
|||
font_01_sfnt_off00008895.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8895 | 11008 bytes |
SHA-256: 8801631cba42c79244fa5bfa4d82d657fc66ada63027d814719bec38b7a7e994 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.