MALICIOUS
214
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a link farm and impersonates a cloud document lure, directing users to a known malicious redirector. The embedded content, though heavily obfuscated, contains URLs that are likely part of a download chain. The ML classifier strongly indicated maliciousness, and the presence of multiple external links suggests an attempt to distribute further content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 6
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Cloud document impersonation lure medium SE_CLOUD_DOC_LUREDocument impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gettraff.ru/123?keyword=es+file+explorer+file+manager+apk+ios In PDF document text
- https://ridolagu.weebly.com/uploads/1/3/0/7/130775195/4557862.pdfIn PDF document text
- https://saxibodusazo.weebly.com/uploads/1/3/0/7/130740440/2e2107d79.pdfIn PDF document text
- https://vopevejefed.weebly.com/uploads/1/3/1/6/131606133/duledixefubo.pdfIn PDF document text
- https://saxibodusazo.weebly.com/uploads/1/3/0/7/130740440/77c24ad3e119c.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/ace480b4-26b6-429b-bacd-433df554d9a9/65964297501.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ad3d1e5c-01b7-4714-ae37-cc7798168833/puripirefud.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/451acc29-de7a-4e1c-a1ea-c9e287712e1f/11609806984.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/32a063c5-8423-4ab9-afea-720ad994206d/mobijunopajotox.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d6d1dd38-d62a-45d0-8339-25abc5be1f0c/sowuwod.pdfIn PDF document text
- https://s3.amazonaws.com/susopuzupure/74047600061.pdfIn PDF document text
- https://s3.amazonaws.com/henghuili-files/99527790168.pdfIn PDF document text
- https://s3.amazonaws.com/felasorarabipis/67891512497.pdfIn PDF document text
- https://s3.amazonaws.com/henghuili-files/fixonowumonufof.pdfIn PDF document text
- https://s3.amazonaws.com/wonoti/33555567484.pdfIn PDF document text
- https://s3.amazonaws.com/zirojopemup/87709079591.pdfIn PDF document text
- https://s3.amazonaws.com/jamokaroxoj/99031632087.pdfIn PDF document text
- https://s3.amazonaws.com/sugaguxagu/28197119761.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f5deb292-0f17-4e47-b054-4c6118fb4e69/zevovetidebax.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6a118aa7-09b2-4051-b31f-5c9412e0606a/vitewuvi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d3d32e8b-05fd-4ea2-b6a2-851cd722ce98/segedipatesumiri.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bbda1761-4de7-46b0-b126-521f95fea55d/33573446288.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ddc67cc6-700b-4186-99db-4b0fa5ca26b9/nitepeguboradanopo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007dc6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7DC6 | 3012 bytes |
SHA-256: 703af8dc6e3e7fb72d120ac996c1805ad2c939f81228a9055ac86c49dd354924 |
|||
font_01_sfnt_off0000888c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x888C | 5312 bytes |
SHA-256: 73972eeda8ce0c311b05e3a7669c53e364e817c45f98ee20a08f1d1b9e8c5337 |
|||
font_02_sfnt_off00009a91.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9A91 | 10528 bytes |
SHA-256: 1af5fdb18f0c3e0bb74e056e35b17e80696e32be1dc0d6f224284d3cbdf81bf7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.