MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded links, with one prominent URL pointing to a redirector associated with malicious activity. The document body, though partially garbled, includes text suggesting a lure related to 'auto record all calls android', which aligns with the malicious redirector URL. The presence of a large number of external PDF links also indicates a link farm, a common tactic for SEO poisoning or distributing malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=auto+record+all+calls+android
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/74a852_0bcd31b01a3d48b988463accf0689c01.pdf
- https://static.usrfiles.com/ugd/8c0e65_4b94943cbd264c9d91407ccafd2e7517.pdf
- https://static.usrfiles.com/ugd/205ae4_bdefe9b5b6b240668297cf3eecc8e587.pdf
- https://static.usrfiles.com/ugd/cc3ca9_fdffacb774c34191a6669fe4fd481693.pdf
- https://static.usrfiles.com/ugd/9f06f8_56af8bb05bca4501842cdcdbf99ecec6.pdf
- https://static.usrfiles.com/ugd/b11f6d_06f207a4157045d6b9173391d5426eb9.pdf
- https://static.usrfiles.com/ugd/c1c462_2e9896339f974d3fa5eeb5a5e9dd12e3.pdf
- https://static.usrfiles.com/ugd/23924c_b8959477251f4e4b9a12a514844c29f0.pdf
- https://static.usrfiles.com/ugd/e4ff69_ed4a13cefc2242e99e005c1db25b67c6.pdf
- https://static.usrfiles.com/ugd/599026_3a5bfaf8867146c5badab30b011d59fe.pdf
- https://static.usrfiles.com/ugd/0dd040_3261945399824043812bb3809a7a77de.pdf
- https://static.usrfiles.com/ugd/9f6a24_9e7c860da95f4a7cbf4d882d7888af20.pdf
- https://static.usrfiles.com/ugd/2813e2_40af5259a87e41d895d06d6388ae7ae9.pdf
- https://static.usrfiles.com/ugd/9eb187_84c13ccce0f941fb8699dc4dd65c5dcd.pdf
- https://static.usrfiles.com/ugd/368de4_45c110b149ea4248a0c302cfdebd0ced.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006830.bin441f5d5fedbffb3ba47d8d8a584b61afb65a2a105962d46b0bf3e0014e652b6c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6830 | 4924 bytes |
font_01_sfnt_off000078f7.bin59e057ac649ccf1c30691d5e850a0615cc41a4f9cc6b1978b5acdf7d61570496 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x78F7 | 13020 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.