MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded links, one of which points to a known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. The document body contains obfuscated text and URLs, suggesting an attempt to lure the user to a malicious site. No scripts were extracted, but the presence of embedded URLs and the PDF_MALICIOUS_REDIRECTOR_LINK heuristic are strong indicators of a phishing or redirection attack.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/123?keyword=2807-2+%253D+2805
- https://finiluxexolije.weebly.com/uploads/1/3/1/8/131856594/2431298.pdf
- https://cdn-cms.f-static.net/uploads/4414486/normal_5f95c86f2ef0f.pdf
- https://xetutinafo.weebly.com/uploads/1/3/0/7/130775845/nomulomavikin-merofelegi-jefuba.pdf
- https://pinoxelu.weebly.com/uploads/1/3/4/1/134108818/ffab834.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/a9a2809c-c039-49d8-b968-f81dfa5cbcd9/kenugiwedubububajefoviwuv.pdf
- https://uploads.strikinglycdn.com/files/1c9a5fdd-8b96-4917-b73d-186d4ac87765/81166368595.pdf
- https://uploads.strikinglycdn.com/files/c0a40ce3-c8a7-4112-8827-93942e795219/zavokelepoveton.pdf
- https://uploads.strikinglycdn.com/files/9b1529bc-e840-4e4c-a7c6-96eb078b9a86/meben.pdf
- https://uploads.strikinglycdn.com/files/acfb02a4-6ad2-4fd9-8ba9-29b92de0d716/xunefevelumenagowidet.pdf
- https://s3.amazonaws.com/tipikaxe/guvatowilubalolo.pdf
- https://uploads.strikinglycdn.com/files/d4854d78-8cbc-444c-a0f5-1eaf6c74066a/kanna_master_blaster.pdf
- https://uploads.strikinglycdn.com/files/22ace94a-9e50-4f3b-9fae-28ce46eb65a0/pobapenubavukepitadatoboj.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000449b.bind7f6b0057e5e0dace0afce83a5958f558b20246e241d9220f8863451719a5aa7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x449B | 4820 bytes |
font_01_sfnt_off0000552d.bina4a82362abee40b0ac8f6a5b3b78f67e5f1162d3b75ccbb291b89a13d12e92ae |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x552D | 10400 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.