MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a large number of embedded links, many pointing to disposable hosting, indicating a link farm designed to manipulate search engine results or redirect users to malicious sites. One critical heuristic identified a link to known malicious redirector infrastructure. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gettraff.ru/pify?keyword=fitness+gym+app+android In PDF document text
- https://sepikupi.weebly.com/uploads/1/3/0/7/130738949/9930655.pdfIn PDF document text
- https://wurikosaradusif.weebly.com/uploads/1/3/1/3/131384544/c10996.pdfIn PDF document text
- https://fupexorugukemig.weebly.com/uploads/1/3/0/8/130814763/5652282.pdfIn PDF document text
- https://fijojonibiw.weebly.com/uploads/1/3/2/6/132681787/vifotatilaw.pdfIn PDF document text
- https://gidixelasulam.weebly.com/uploads/1/3/0/7/130739099/5aecbec99.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365591/normal_5f876c39e05c0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4367633/normal_5f8763734ce35.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/8ce28794-d8bf-4347-b521-e842b69da226/63857854563.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fea95157-1cd6-482b-9c35-e8d2299b1243/84315502518.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3fd46ff8-3287-459c-8163-44b1d5b1b87e/85785526756.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e524a54-015b-4b4b-ac6e-97fedb0f36d9/gixidop.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6b9d75dc-b995-48e9-8acf-65ad3c2e5d02/wigitavepafo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b4121ecc-9309-422b-a8dc-dacad875b569/pudamanuwiganope.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5bd6b6ae-c62b-4b70-9afc-3a92455d06a8/lixelujezaxusoj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1d56accd-d818-4c15-9c37-7641884d5f6b/53136403177.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/88ed4e68-aff8-4f0d-b6f0-1ec07959ece8/37702233108.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/23f35046-00da-4104-9de7-400b7ba1d1d8/newojusamomekagikivinol.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/961e2f00-f0ea-4151-b94b-ce0fbc83a7c4/gowumisigikufexudi.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0435/3707/2280/files/200_ft_ethernet_cable_outdoor.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0503/2080/1942/files/rgpv_3rd_sem_syllabus_mechanical.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0438/4171/6389/files/how_to_draw_a_bow_and_arrow_from_minecraft.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000061da.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x61DA | 5304 bytes |
SHA-256: d81d2353610c117646851cb61a804071cbd3e9206f128b0e488118d796996951 |
|||
font_01_sfnt_off000073cd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x73CD | 10060 bytes |
SHA-256: 6cc7ba7bbd267fcba80570f999b1be16401544210e1e84c7951b7539b3e17c80 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.