MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a link to a redirector URL, which is a common tactic for phishing or malware distribution. The document body, though heavily obfuscated, contains keywords related to a printer and a URL that appears to be part of a link farm, suggesting a lure to a malicious site. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=canon+bubble+jet+printer+i80
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/837d34_11620792c2fc4131813ba80d08f66bdb.pdf
- https://static.usrfiles.com/ugd/314c35_c8a9b7a5000842f0a506a6f4d09a5783.pdf
- https://static.usrfiles.com/ugd/cc14e4_a98e2889e2654a7f80d9c0c92a6d0464.pdf
- https://static.usrfiles.com/ugd/b8c837_64868b7e3afa4005ab0bfa9053173533.pdf
- https://static.usrfiles.com/ugd/cb2bed_f6399c410d8e4c27aaf7163d97d83163.pdf
- https://static.usrfiles.com/ugd/c1615c_685378fc0f364bcd9d6b590429b1defc.pdf
- https://static.usrfiles.com/ugd/b8c837_9e46784d0e14422c82fdf6e6567ef99a.pdf
- https://static.usrfiles.com/ugd/6240f8_d396b278fac84bc5943246529059a56c.pdf
- https://static.usrfiles.com/ugd/b8c837_86fd3b4a1b0e47df8cd87c2ef50731de.pdf
- https://static.usrfiles.com/ugd/0baf77_26a4a3bcb8fc4f5a902bf8783af53997.pdf
- https://static.usrfiles.com/ugd/76b6de_fe078fdecaa34bf18c0b0304d36040ae.pdf
- https://static.usrfiles.com/ugd/b8c837_eb823b2bf3bf42fab79ae2377cbac88d.pdf
- https://static.usrfiles.com/ugd/34ec99_423c6d5bc84d4982bf3b55c91b22c75e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000612f.binf0b6181e2ea5de3cf7e339804a67dfb558bb2550ecb846681914ffe817b1ac98 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x612F | 5092 bytes |
font_01_sfnt_off00007287.bin65b358c7b6d4ed139033eab639b84e6b8541d21700814fdf8c9ed67284003d3d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7287 | 10304 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.