MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, with one specifically pointing to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body is heavily obfuscated and contains a URL that appears to be part of a link farm designed to distribute malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=ff14+lodestone+job+guide
- https://cdn.shopify.com/s/files/1/0428/1847/0044/files/c_k_p_ka_full_form.pdf
- https://cdn.shopify.com/s/files/1/0429/1425/0905/files/lilivatowam.pdf
- https://cdn.shopify.com/s/files/1/0439/8543/6830/files/27782830550.pdf
- https://static.usrfiles.com/ugd/368de4_9a0fbab5cd87479caf9b8dac153c7486.pdf
- https://static.usrfiles.com/ugd/6290de_7961fc591dfb4841b9a75ed97d13421e.pdf
- https://static.usrfiles.com/ugd/3615fb_67c4ebe0d6634e8282748676682c3a62.pdf
- https://static.usrfiles.com/ugd/b8c837_c4a1241efb154e09aea32844d3733e53.pdf
- https://static.usrfiles.com/ugd/4cf28d_3f7f2ca1f705441e808ef5f6fe3b774f.pdf
- https://static.usrfiles.com/ugd/dcc11b_523205a2473347959e33bf0f9a5d6460.pdf
- https://static.usrfiles.com/ugd/ea9bdf_d123407b02644834b40a27c2f9307d8b.pdf
- https://static.usrfiles.com/ugd/f3ecbe_38251422893e4edb873ea5d79734c85e.pdf
- https://static.usrfiles.com/ugd/f1780b_6ae2f862b8924d38ae1446d069849830.pdf
- https://cdn.shopify.com/s/files/1/0433/6415/5560/files/40410661747.pdf
- https://cdn.shopify.com/s/files/1/0428/8181/0595/files/fusuxijimilanidinazabeman.pdf
- https://cdn.shopify.com/s/files/1/0433/0166/6969/files/26552175474.pdf
- https://cdn.shopify.com/s/files/1/0434/0203/5352/files/popesowinojodiferogav.pdf
- https://cdn.shopify.com/s/files/1/0437/7070/8125/files/146866880.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000730c.bin48127681b2896ccf9af10fb2ac23bffc5641f0a40b8521a966dc04632123877c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x730C | 5080 bytes |
font_01_sfnt_off0000847c.bin4f5477f436629b0e06d6e8f8469c4e507604e62ceb73b1823fb32a95bd18c6f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x847C | 10092 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.