MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded links, with one identified as a malicious redirector. The ML classifier also flagged this PDF as malicious. The document body, though heavily obfuscated, contains URLs that are likely part of a link farm designed to lure victims to malicious sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9795
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=side+eye+emoticon
- http://files.oceanaparkwelshstud.com/uploads/1/3/2/7/132740352/tebivoxufameb_xures_gebinu_natuwizulosano.pdf
- http://files.317-447-4377.com/uploads/1/3/2/6/132682739/lezotemipivifujuguki.pdf
- http://files.kiriiku.com/uploads/1/3/0/7/130739776/xufibetamuge.pdf
- http://fedorahosted.org/lohit
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.thdl.org/http://www.thdl.org/Tibetan
- http://www.opentle.org
- https://cdn.shopify.com/s/files/1/0433/9014/0581/files/jizosiniririjeridus.pdf
- https://cdn.shopify.com/s/files/1/0429/9004/3285/files/64666982490.pdf
- https://cdn.shopify.com/s/files/1/0435/3431/9776/files/34128280629.pdf
- https://cdn.shopify.com/s/files/1/0432/1355/3827/files/how_to_calculate_ac_5e.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vatajimawi.pdf
- https://cdn.shopify.com/s/files/1/0439/8222/5566/files/56593808098.pdf
- https://cdn.shopify.com/s/files/1/0440/7531/9448/files/92881777321.pdf
- https://cdn.shopify.com/s/files/1/0428/9780/1375/files/38001295176.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gofusibosaduxigagixuvoma.pdf
- https://cdn.shopify.com/s/files/1/0429/4954/2047/files/75177984682.pdf
- https://cdn.shopify.com/s/files/1/0433/4669/0203/files/60498198055.pdf
- https://cdn.shopify.com/s/files/1/0432/3731/0626/files/kuzonalajasudunivuzujux.pdf
- https://cdn.shopify.com/s/files/1/0431/8524/2269/files/lujadidesarawevodezegeju.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
- https://savannah.gnu.org/projects/freefont/
- http://www.gnu.org/licenses/
- http://www.gnu.org/copyleft/gpl.html
- http://scripts.sil.org/OFL
- http://www.gnu.org/copyleft/gpl.htmlTibetan
- http://www.gnu.org/licenses/gpl.html
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_007_off00014d3f.bin99a9d9de0b991bfdfb087296a0694540619440aa63900eaa1f26204f298a4bdf |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x14D3F | 2296 bytes |
stream_012_off0001cedc.bin4780cbefbdcb714a124cad02df4919c11400da95c8baafbfa870d54a8fa66f91 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CEDC | 25808 bytes |
font_00_sfnt_off0000f4e5.bin23bed797d97bda55248fc61ba84ad3b4940ee20791600990b0cfcb37dc87a329 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF4E5 | 6444 bytes |
font_01_sfnt_off000104aa.bind9175beaec6848dceb76f8114c03c00ce25911bf3a5ba817d0417f17cc69c988 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x104AA | 10848 bytes |
font_02_sfnt_off000129cc.bin18e2b26f2cd8c09fef3d68f407c87d94ece5c778ba8bce9412fab2c24e216782 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x129CC | 4776 bytes |
font_03_sfnt_off00013a0c.bind36447fd93c6800d24c73edf6ff3932caa7c5bef032f6dad58d13864b7d49d88 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13A0C | 9472 bytes |
font_05_sfnt_off0001577c.bin2ad03f91ae2c882cd56a77e6dc1d8f36fe3fa689eb2193c56928730a73b9d74d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1577C | 1820 bytes |
font_06_sfnt_off000160e9.bine84758f060cc5232ea7e677b23b86afe748a61d252f83b70b8df25e66f537e14 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x160E9 | 2808 bytes |
font_07_sfnt_off00016bb2.bin51e86b3277d6dea9948b6b9b7ea21cd27c577615b26c9fb2df22313e628a8036 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16BB2 | 7408 bytes |
font_08_sfnt_off00017ea6.bin4b518a87cc6669bf7de0e364fc5fe2ecbe7ffbeb541e87bb75ccd1690befaced |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17EA6 | 26716 bytes |
font_10_sfnt_off0002040d.bin56301e9bc1dc7c3c189aea8eea2753400ba2bb5e9c88ae2289572d2f24d93fa2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2040D | 6372 bytes |
font_11_sfnt_off0002144b.bin72f1dfb66e82911dd60be38c00ac0dc14a6ddae621b68bd029e7d97bffcfece2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2144B | 2480 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.