MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains embedded links that lead to a redirector URL, indicating a phishing or malicious content delivery attempt. The document body, though obfuscated, contains text related to a 'Herman miller ergon chair manual' and a URL, suggesting a lure to trick users into clicking the malicious link. The presence of numerous external PDF links further supports the classification as a link farm designed to host malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=herman+miller+ergon+chair+manual
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0428/7224/2342/files/ninufovibevoto.pdf
- https://cdn.shopify.com/s/files/1/0430/8107/2789/files/tafojusapemejat.pdf
- https://cdn.shopify.com/s/files/1/0437/1621/4936/files/xujajovonezuzubosipu.pdf
- https://cdn.shopify.com/s/files/1/0431/0908/9447/files/gubavidasikitavage.pdf
- https://cdn.shopify.com/s/files/1/0438/3509/7245/files/birijunafuxoked.pdf
- https://static.usrfiles.com/ugd/47b1e8_4568b67182aa492b81adf765b92e2ab5.pdf
- https://static.usrfiles.com/ugd/01bc73_33c1cc6931b14b6b88240a0542768537.pdf
- https://static.usrfiles.com/ugd/3f80ec_58ed854ef2d343e5ba053b0e695eea35.pdf
- https://static.usrfiles.com/ugd/3ceeb9_2851832663034a95b5eb71526aa34085.pdf
- https://static.usrfiles.com/ugd/b8c837_5cf8069f8c0d426ab0bcfc82345a14d2.pdf
- https://static.usrfiles.com/ugd/822ecd_e7c1ea154c434967add847e1f5a0b376.pdf
- https://static.usrfiles.com/ugd/0d2908_9e24f1a8ad6546ddaf3d45f071f18d72.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004a5f.bin45ce1cd3cf228c080582d1125d2f39ac2fac3b2184ee1a2aaf2f00c3374bcb4c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4A5F | 4996 bytes |
font_01_sfnt_off00005b1f.bince8e15fadf4615fb4e890b635044313bf128d5a8e9a898fd3e1b70e3e194a5d3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5B1F | 9768 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.