MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded links, many pointing to Shopify domains, which are likely part of an SEO link farm. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.cc/wb?keyword=islamic%20calendar%202019%20pakistan%20pdf'. This suggests the document's primary purpose is to drive traffic to malicious or potentially malicious sites under the guise of providing calendar information.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wb?keyword=islamic%20calendar%202019%20pakistan%20pdf
- http://files.cafl212.com/uploads/1/3/0/8/130814516/6369399.pdf
- http://files.roadstercarwash.com/uploads/1/3/0/7/130775232/numomijewe_gademuxazut_wigemo.pdf
- http://files.peopleandpipelines.com/uploads/1/3/1/4/131406506/gedosiwogaxa.pdf
- http://files.selkicasarpg.com/uploads/1/3/1/4/131409333/8033832.pdf
- http://files.naomicaselli.com/uploads/1/3/1/3/131383734/naxidogizel-peluduguw-jewijilululizu.pdf
- https://cdn.shopify.com/s/files/1/0430/7514/1794/files/sawodapupuzineliweza.pdf
- https://cdn.shopify.com/s/files/1/0437/1336/4121/files/4427499221.pdf
- https://cdn.shopify.com/s/files/1/0437/4416/6037/files/butenobaj.pdf
- https://cdn.shopify.com/s/files/1/0437/4478/8634/files/14955398302.pdf
- https://cdn.shopify.com/s/files/1/0433/3069/9414/files/ravapejaworijunesogozuvi.pdf
- https://cdn.shopify.com/s/files/1/0437/6671/0426/files/32390443456.pdf
- https://cdn.shopify.com/s/files/1/0436/2685/6610/files/mitimimijujiluviw.pdf
- https://cdn.shopify.com/s/files/1/0431/7754/1792/files/dofanilufozivinef.pdf
- https://cdn.shopify.com/s/files/1/0431/1416/8487/files/68637926835.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006c8c.bine5aff5567f869e8422e82627b35dfbf42a0733b585e5f24bfa27973318404b22 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6C8C | 5784 bytes |
font_01_sfnt_off00008021.bin70ca1a1f327205d46f7015cc28be5c2b69315bf230f1f0d3fab19005ac0124e6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8021 | 16052 bytes |
font_02_sfnt_off0000afdc.bin7e281611f1935d806fa57b91b0658fa6277317be6ea22a8e428f2c622fcaa264 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAFDC | 21140 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.