MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure. It also exhibits characteristics of a PDF SEO link farm, with numerous links to other PDF documents hosted on disposable domains. The embedded document body text, though heavily corrupted, contains a URL that matches the malicious redirector. No scripts were extracted, but the overall structure suggests an attempt to drive traffic to malicious sites.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=reflexiones+diarias+alcoholicos+anonimos+pdf In PDF document text
- http://files.wedding-flowers-perth.com.au/uploads/1/3/1/0/131070702/7896770.pdfIn PDF document text
- http://files.myccclive.com/uploads/1/3/1/8/131871535/456dd7e.pdfIn PDF document text
- http://nevofaxan.jacksoncieslak.com/uploads/1/3/1/4/131408516/2405380.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://ebacbd38-2216-428d-8b1c-c2cf0a9627aa.filesusr.com/ugd/78daac_5d79f692f1024ebf851ac9b5028573ff.pdf?index=trueIn PDF document text
- https://3a8cf4bb-e66a-41d1-a678-d2883d25632b.filesusr.com/ugd/04e6f9_e2fcc24693ec4558b340b7213ed07541.pdf?index=trueIn PDF document text
- https://78afd0fc-1551-4221-8cef-f30c156497b7.filesusr.com/ugd/163759_313f6521e5e045c583f056b345748b70.pdf?index=trueIn PDF document text
- https://839f4c6f-07bc-4957-a029-8aee416e723d.filesusr.com/ugd/67e251_63d9682ccd224e1c8f58d5bd342d5d51.pdf?index=trueIn PDF document text
- https://f9cd6370-214b-4168-a169-fc14c872ecf3.filesusr.com/ugd/87d215_73401221e1bc439f905a9a75fea59a02.pdf?index=trueIn PDF document text
- https://fe95efe8-d42d-44be-bbd9-79c3d271e6c2.filesusr.com/ugd/162fe6_807993fe023846f193f679eb4c218351.pdf?index=trueIn PDF document text
- https://51f81f42-d647-4281-8c5c-3c9795b3d4de.filesusr.com/ugd/bcc0e4_dcdfd123f9e549dba59a8b045b7d590c.pdf?index=trueIn PDF document text
- https://28767bce-7925-4784-a891-e22fb30c35cd.filesusr.com/ugd/717a42_f0857db36f864dd498e24d21b17c5833.pdf?index=trueIn PDF document text
- https://ae09ab34-2232-475e-a769-72dc4d17b67c.filesusr.com/ugd/29c71c_e828564ee5664a7fa3a252ac0b615364.pdf?index=trueIn PDF document text
- https://17658dec-a8c3-4c43-ad6a-7b44f34ecfd8.filesusr.com/ugd/865d50_f5fe4cece0074aa89b4f418c54192984.pdf?index=trueIn PDF document text
- https://70622f33-50fd-462d-aa0a-880ca5a8b8c6.filesusr.com/ugd/b914b5_0b1ce778d0964a38b6eea1830e58f194.pdf?index=trueIn PDF document text
- https://210feacb-beab-4c92-8514-268513ecb325.filesusr.com/ugd/83d902_5c6bd3219ed74dd0b2dd3dfaf88a0e80.pdf?index=trueIn PDF document text
- https://5f427f40-27c2-4960-bf9b-f8da94f5191f.filesusr.com/ugd/fef806_82bb5a8d1f3e4886bd1a033fd5a021b9.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005a9c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5A9C | 5468 bytes |
SHA-256: 5bffdec636137d685832d2c1be094b8685d812e8725bdc07b89f1c7eede5d738 |
|||
font_01_sfnt_off00006d14.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D14 | 1952 bytes |
SHA-256: 3f2ce2d979b81614d089de1b14f9f3dd670f7a5e49bbd6cf1a199f19e29dc309 |
|||
font_02_sfnt_off0000767b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x767B | 11892 bytes |
SHA-256: 6d3337c95a1ec513e14962cd7478c3bcd9a10fc418c07c6fd40fd9d7966a53e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.