MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains numerous embedded links, with one pointing to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body is heavily obfuscated but contains a URL that is also present in the heuristics. The primary attack pattern appears to be SEO link farming or redirection to malicious sites.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=ff+mobius+tier+list
- https://static.usrfiles.com/ugd/80c1db_7f05dcf378e84724ae8fc37cc82dc9be.pdf
- https://static.usrfiles.com/ugd/19103d_0cd2f78fcd614b529ef19ff4f2a312bb.pdf
- https://static.usrfiles.com/ugd/fd7405_23587c2542ee4f4e9c856efe5911ea54.pdf
- https://static.usrfiles.com/ugd/1a89c8_c56a393871c5475c8ab0c1cae152a70e.pdf
- https://static.usrfiles.com/ugd/a76634_4f8db9c680824990a33ea41516a373cd.pdf
- https://static.usrfiles.com/ugd/b8c837_11734de3b77c411581461eb84533a23e.pdf
- https://static.usrfiles.com/ugd/4b874d_8d17d4f0e3454967acdfc13850c0f65c.pdf
- https://static.usrfiles.com/ugd/f4de5e_ee00ed8073104b2f9c61bff37966963a.pdf
- https://static.usrfiles.com/ugd/d54300_de5fcc8442d24b449d3ca04e4b1c9882.pdf
- https://static.usrfiles.com/ugd/b8c837_44c12939e27449dca1e76783b80fd58e.pdf
- https://static.usrfiles.com/ugd/b8c837_cd4141fcf85948148f7b269342f39ab0.pdf
- https://static.usrfiles.com/ugd/6f7357_2d8034d8de4743ff8f42f76e79975b72.pdf
- https://static.usrfiles.com/ugd/7ff653_e45e6575e33b4f2d9cd061651f3c66c7.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00013b68.bin99e0de2d39af8d2dc569183cf2d2ca23f2b48d32a89ec14b29d0f0493f1fb07c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13B68 | 4800 bytes |
font_01_sfnt_off00014ba9.bin01a433025717950cc44979f6f850a07a55f2f731c3d2cffa525fbfb00dff4cd0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14BA9 | 14736 bytes |
font_02_sfnt_off00017a3f.binea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17A3F | 16092 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.