MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded URLs, many of which point to disposable hosting and are part of a link farm. One critical heuristic identified a link to a known malicious redirector, which is likely intended to lead users to malicious content. The document body, though heavily obfuscated, contains the malicious URL and other links, suggesting a lure to trick users into clicking through.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cctraff.ru/strik?keyword=naruto+ultimate+ninja+storm+3+guide In PDF document text
- https://cdn-cms.f-static.net/uploads/4374533/normal_5f8c3b0a412b7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383308/normal_5f8fa18d4627b.pdfIn PDF document text
- https://lesofetu.weebly.com/uploads/1/3/1/3/131378838/xuxalurarino.pdfIn PDF document text
- https://tofejigijo.weebly.com/uploads/1/3/4/3/134312142/jupanu-veropozarelusuf.pdfIn PDF document text
- https://wosezobar.weebly.com/uploads/1/3/1/8/131856012/nejuvamexuxa.pdfIn PDF document text
- https://jutebipofan.weebly.com/uploads/1/3/4/3/134334370/5090550.pdfIn PDF document text
- https://wekubuzebebam.weebly.com/uploads/1/3/0/7/130739705/fdd54d4e4.pdfIn PDF document text
- https://zekasujiminog.weebly.com/uploads/1/3/4/3/134366003/7222970.pdfIn PDF document text
- https://sepikupi.weebly.com/uploads/1/3/0/7/130738949/29feca687d.pdfIn PDF document text
- https://boguvetasitob.weebly.com/uploads/1/3/1/3/131380850/bitunanubanixuwisor.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/fec9d770-1f35-462d-a6f3-9abefeb78c10/fadel_educational_foundation.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ab1d7a3d-58b5-4cc7-b0fa-2af55c11e85d/48290537284.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d20038b4-4574-4ca9-9253-560738f4748a/wefun.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e651ff77-549c-43cb-8389-818b8847fb8d/49302357314.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8c4e7f3a-5a60-4df8-88ee-26a15b718be5/guwamupaxaxosemigemivagim.pdfIn PDF document text
- https://s3.amazonaws.com/gupuso/fusionner_2_avec_adobe_reader_xi.pdfIn PDF document text
- https://s3.amazonaws.com/tadovu/26387136148.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b2c27c0a-d2e5-4160-a357-474f3b0fb2ea/29481276343.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cc060a1d-df0d-436f-bfbe-3729fa0071cd/fefub.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ccbcfe45-d115-44b0-b878-46b1eaa090e5/ballistic_coefficient_chart_berger.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f7ca3e18-a17d-4bf7-9804-561ab3c45de1/resakunurujewino.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005e94.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5E94 | 5352 bytes |
SHA-256: 46a104a6fe51b68ac2d5b234d515c2212ab5214850721742566e502e177cf267 |
|||
font_01_sfnt_off000070b6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x70B6 | 10552 bytes |
SHA-256: 7eb30e8973238280115f4d723d675b59a4364a6d2e732a89e466d64fee26bac2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.