MALICIOUS
92
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, indicating an attempt to lure the user to a harmful site. The document body, though heavily obfuscated, includes metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious documents. The ML classifier also strongly flagged this PDF as malicious. The primary IOC is the redirector URL.
Machine Learning
- Nyx PDF Classifier malicious score 0.9986
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=shrimad+bhagavad+geeta+shloka+in+sanskrit+pdf
- http://files.new-model-tours.com/uploads/1/3/0/8/130874085/1868684.pdf
- http://files.sbcopywriting.com/uploads/1/3/2/7/132740218/644292.pdf
- http://files.accessyourhearing.com/uploads/1/3/1/8/131857284/c183d1b940ce600.pdf
- https://cdn.shopify.com/s/files/1/0432/3786/7687/files/xuxozagesijifozovevaderup.pdf
- https://cdn.shopify.com/s/files/1/0431/3314/1149/files/danigewi.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/riwemabosemuridaredexe.pdf
- https://cdn.shopify.com/s/files/1/0434/2287/5800/files/56965623747.pdf
- https://cdn.shopify.com/s/files/1/0432/9635/8565/files/nosofebekum.pdf
- https://cdn.shopify.com/s/files/1/0430/6134/6466/files/gasodaximeturimede.pdf
- https://cdn.shopify.com/s/files/1/0434/5593/8720/files/20449883744.pdf
- https://cdn.shopify.com/s/files/1/0438/9961/7448/files/sunufelikojujisukogefevix.pdf
- https://cdn.shopify.com/s/files/1/0434/0128/1701/files/96380723080.pdf
- https://cdn.shopify.com/s/files/1/0433/0009/4112/files/roligaxibula.pdf
- https://cdn.shopify.com/s/files/1/0431/0876/1751/files/xexenekipotopa.pdf
- https://cdn.shopify.com/s/files/1/0429/0327/3628/files/gabazalubemuminulig.pdf
- https://cdn.shopify.com/s/files/1/0431/7354/4093/files/40015435749.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_010_off0002aa3b.bin98c15dbd18b759e8c4ecb1f4409716b2c860f4721f613f89cbc6b20dc68cd2f3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2AA3B | 12084 bytes |
font_00_sfnt_off00025c9a.bin8c9b9bc409ef95bfd2b1701120eade4ffeb36cd4ae08fe26c9f59a6444510e3d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x25C9A | 5608 bytes |
font_01_sfnt_off00026f82.bin13f1c1acb04f6a2c0c7809b473bb32c2578594c6ef10021f571feb2e59bba7cf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x26F82 | 3772 bytes |
font_02_sfnt_off00027b28.bin06e23b0fd973963ea3b6193a46e2a06dbc3abfa2b1f1556fbd7b1b81b73835c7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27B28 | 15876 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.