MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a PDF document that contains a link farm and a lure for an advance-fee scam. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' indicates the document's content is designed to trick users into believing they have won a prize or are eligible for funds, requiring them to pay a fee for delivery or processing. The presence of numerous external links, including one to a known malicious redirector, suggests an attempt to direct users to malicious infrastructure.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=if+shakespeare+had+a+sister
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_ec2833fd438f4f588e763ab0459e255e.pdf
- https://static.usrfiles.com/ugd/b8c837_80d20ce9cf1a4bcd8874c8c13a56331b.pdf
- https://static.usrfiles.com/ugd/b8c837_0c93cdf559994137aac924232026cf28.pdf
- https://static.usrfiles.com/ugd/b8c837_0fe6bfb818604b0380d7754413a4b16e.pdf
- https://static.usrfiles.com/ugd/b8c837_1dec1250e7a94f8fac53ce827f93685b.pdf
- https://static.usrfiles.com/ugd/b8c837_a9b238016fc24d2ca61a274b4c7a0ff0.pdf
- https://static.usrfiles.com/ugd/b8c837_92d19a79efe345d0bc8ffa3f4fb0913e.pdf
- https://static.usrfiles.com/ugd/b8c837_14f1dd89131c460bb4c0268c1c5dedf3.pdf
- https://static.usrfiles.com/ugd/b8c837_485607fa1bea44d382d5768e76400283.pdf
- https://static.usrfiles.com/ugd/b8c837_c1a18a5a3042493ca7f82941cbdca950.pdf
- https://static.usrfiles.com/ugd/b8c837_b2a7b9e453ab42369fa6184c26b403f4.pdf
- https://static.usrfiles.com/ugd/b8c837_995ed97ac957410eb0a5da2a3520aa9b.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c262.bin07c3a7e45ac7f71cfa4950b4a341373fc32ef5492adec3c495425da3798db712 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC262 | 5100 bytes |
font_01_sfnt_off0000d3b2.bin960d1e79218ed801f1a6247bbce0c5957812991bc4229f270450453bf48af730 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD3B2 | 10228 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.