MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains a large number of embedded links, a technique often used to create link farms for SEO manipulation or to direct users to malicious sites. The primary URL, 'https://ttraff.com/wix?keyword=the+l+word+free+download+season+1', suggests a lure for downloading popular media, which is a common tactic for distributing malware. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=the+l+word+free+download+season+1
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_3ce47466429d4bdca5794bf32e4d3d28.pdf
- https://static.usrfiles.com/ugd/04e6f9_355aa8343dee49e486295bcb143ea876.pdf
- https://static.usrfiles.com/ugd/3e9e83_f222337f42ba4214b1897d67e3789bab.pdf
- https://static.usrfiles.com/ugd/f96b02_66d58bf562d4480ca8d49a6ca18ab10a.pdf
- https://static.usrfiles.com/ugd/0d2908_91c2937f89554218b623c1b178836222.pdf
- https://static.usrfiles.com/ugd/4479ed_5e165d0f34df432c8e19d0e867e3533f.pdf
- https://static.usrfiles.com/ugd/6350c7_f40f90cc63f3499c92df984a66c1cff0.pdf
- https://static.usrfiles.com/ugd/0779a3_19e789f9178843e4ad6489cf7e40e9c6.pdf
- https://static.usrfiles.com/ugd/d4a9d6_e0dc9088c59f42299c55d45f69f904e2.pdf
- https://static.usrfiles.com/ugd/7d21c0_083047cc4eb44c9ca4f38dd4531af8d4.pdf
- https://static.usrfiles.com/ugd/cc14e4_e82aa7eab471489282809c25a7ae37fb.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000068b5.bin732143b9585308f3327499d4887b724e44dde0f57abef5f0a1b7de3d61da797a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x68B5 | 5088 bytes |
font_01_sfnt_off00007a14.binc00e7b28aa937e1525a893cd8600747af1148988576d3c7cc349c6a28fb9b5e9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7A14 | 10060 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.