MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded links that point to known malicious redirector infrastructure, specifically 'https://ttraff.ru/wix?keyword=dota+2+invoker+chinese+responses'. The document body, though heavily obfuscated, also contains this URL, suggesting a lure to external malicious content. The presence of numerous PDF links, many pointing to user-uploaded content, indicates a link farm strategy to obscure the malicious destination.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=dota+2+invoker+chinese+responses
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_b291d8e5287540a7a20338fd5a39b0c9.pdf
- https://static.usrfiles.com/ugd/b8c837_bbb42eef0c7743daa41a1dd219d3782d.pdf
- https://static.usrfiles.com/ugd/87a178_ab0305a95d584638acb42a475fba2e48.pdf
- https://static.usrfiles.com/ugd/b8c837_7ae8175f7d8343578c7e89f811b1cad2.pdf
- https://static.usrfiles.com/ugd/b8c837_9fc0f95631f744759b2ac730f477f9fc.pdf
- https://static.usrfiles.com/ugd/b8c837_598d6818cebb42b9a47e2967aa1b1525.pdf
- https://static.usrfiles.com/ugd/9e14ca_06d2fb8b8f104b518f21e450ad8212e4.pdf
- https://static.usrfiles.com/ugd/10b11f_bdfbdd1571524a5187b90abddb80d43b.pdf
- https://static.usrfiles.com/ugd/a4e402_febab50c6f23440a9e4b288008cef4ae.pdf
- https://static.usrfiles.com/ugd/19103d_85fe105813e34f5b92cb51f86d4e7292.pdf
- https://static.usrfiles.com/ugd/b8c837_a932183e82f7499681b2072342856939.pdf
- https://static.usrfiles.com/ugd/b8c837_89ab9f1b353847e9954e4b18f6ed32d9.pdf
- https://static.usrfiles.com/ugd/b8c837_cd645dfcb9004143a539970338609758.pdf
- https://static.usrfiles.com/ugd/d162e3_c6e1d76767464211813e6461b5f57633.pdf
- https://static.usrfiles.com/ugd/760101_d6d94dde1a074ab1b93b3442acd16f1e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000072f6.bin98d88288db44d2c102f03e27b7a2058c8aa1f1fe5dfae00a7617e134ec441587 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x72F6 | 5244 bytes |
font_01_sfnt_off000084ce.bin2fa118710f52f2e6f9a43b8a17dcd2a812a07f0e326ee893ed036806badc5aa6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x84CE | 10540 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.