MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF document was flagged by a machine learning classifier as malicious and contains a significant number of embedded links. One of these links, 'https://ggtraff.ru/strik?keyword=gold+d+roger%2527s+bounty', points to known malicious redirector infrastructure. The document appears to be a link farm, likely intended to manipulate search engine results or distribute further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/strik?keyword=gold+d+roger%2527s+bounty In PDF document text
- https://xojerajap.weebly.com/uploads/1/3/1/3/131384359/vibabizuzikenuf.pdfIn PDF document text
- https://zalawevovupat.weebly.com/uploads/1/3/0/9/130969727/3539753.pdfIn PDF document text
- https://misikeni.weebly.com/uploads/1/3/4/3/134336029/mimaguperanudexebepo.pdfIn PDF document text
- https://kisogegexene.weebly.com/uploads/1/3/4/3/134374262/juxevadom.pdfIn PDF document text
- https://gesinanafu.weebly.com/uploads/1/3/4/4/134481382/8436367.pdfIn PDF document text
- https://danawejenig.weebly.com/uploads/1/3/4/4/134499985/jixefupixataxij.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cdn.shopify.com/s/files/1/0503/0615/4692/files/xiaomi_airdots_pro_user_guide.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/088a87d8-fdd8-4e6b-ba2a-1f22a8ac29cf/easeus_activacin_cdigo_clave.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3927e77c-b503-41a7-b782-71f81ddc6f85/annatha_aadurar_song_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e5fa49f2-3dfe-439b-a220-45a7b5915ede/siganixujaletenudif.pdfIn PDF document text
- https://s3.amazonaws.com/vezosoluvezoj/freddi_fish_apk_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/414ecf1e-65d1-4d5a-8671-bb1e1d8cc557/porevolovusos.pdfIn PDF document text
- https://s3.amazonaws.com/pukasojalu/mighty_ducks_t_shirt_uk.pdfIn PDF document text
- https://s3.amazonaws.com/jamokaroxoj/wipalasuriwozes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ce3a51a3-bf71-4336-98f6-5351ed85c7c5/narenapugugetol.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3dcb6d47-68c4-4611-964e-b6c501442990/probabilit_exercices_corrigs.pdfIn PDF document text
- https://s3.amazonaws.com/memul/bikotumoz.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/55df0845-a4a4-493c-9e63-d7ebacf2777e/the_gift_of_the_magi_literary_elements.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/55d7679e-457c-4348-b553-be408a132ce4/aetherian_archive_guide.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0480/9280/7331/files/hitachi_zaxis_350_manual.pdfIn PDF document text
- https://s3.amazonaws.com/potofaw/nogutujamefebin.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006936.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6936 | 5092 bytes |
SHA-256: 8625263a824be52546e927e393365fdd617e0085ecbab13699fa6d4a9f1a2259 |
|||
font_01_sfnt_off00007aa5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7AA5 | 10176 bytes |
SHA-256: f3d5f9a54183c61f1a8d71fbd253f0d2c4a832c90ad6672bc7c73868e6973732 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.