MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains embedded links, one of which directs to a malicious redirector. The document body and heuristics indicate a lure to download an Android application package (APK) related to 'Clash of magic'. The presence of a link farm further suggests an attempt to distribute malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=clash+of+magic+s3+8.332.9.apk+download
- https://6c5a9b73-13ff-4051-8620-6212e410cb96.filesusr.com/ugd/dcf9ad_ed9a87b86d9040a7a2959d1d5dc21e46.pdf?index=true
- https://a0517145-07ba-452f-8261-7628238f916f.filesusr.com/ugd/a01749_77e56717864d40289db23f3464c8ab58.pdf?index=true
- https://62e1b7b8-5346-4ef1-8954-5a27a5ba9260.filesusr.com/ugd/8aba0c_2b7c8a6c6693483785cf0926c5605904.pdf?index=true
- https://6098aafd-4869-4d2d-a4e6-2775322f37b2.filesusr.com/ugd/5de1df_327631c517ab4b08b0c1399286b89667.pdf?index=true
- https://06bc44d6-1265-435c-bf5e-404eac80e09b.filesusr.com/ugd/cd81e9_3b5fe5b66f1c421fbc3044e5e1410602.pdf?index=true
- https://0aff1c44-f2f4-4061-83b4-eed661bc4709.filesusr.com/ugd/2c608b_3aadb863e2c645d9875a07071b132599.pdf?index=true
- https://92e23029-cd2c-4a9b-8cf3-2439b8e6ce8a.filesusr.com/ugd/d90490_6c2001233ffb4b6f92185154b75e51b8.pdf?index=true
- https://eb5916c8-2e40-40f7-b699-9902e37e3a8a.filesusr.com/ugd/8ac1ab_fb51b62bc9e94dd5bede07454239a3b5.pdf?index=true
- https://d856284f-7943-4798-8b2e-e6b4a919d369.filesusr.com/ugd/d4da64_ef65713034cd41cfaaf294f6a193478b.pdf?index=true
- https://cb400c92-2f31-44d6-8ae2-3113a5c896a8.filesusr.com/ugd/b98abb_e255e487c05f4d63a159e767b450c7ef.pdf?index=true
- https://5acef51e-3035-43f4-8e2d-ee560377190a.filesusr.com/ugd/384ea4_0313c60b27f3441dbce8aa2e03260195.pdf?index=true
- https://2370a3d8-82d3-48a8-a16b-ce0ee4c11878.filesusr.com/ugd/03dcd4_57e29c39b9f34f8c8103b1c8a8c34464.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005d4b.bin25baec5a2fa811b7c43be87e73a9fe49ce6c613f0fa9d2848a92e62caa5f722b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5D4B | 6212 bytes |
font_01_sfnt_off00007257.bin34bfde356470b6690ee701cac122a48539134852183b29f7f9f1472214936084 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7257 | 9984 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.