MALICIOUS
174
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains multiple embedded links, with one identified as a known malicious redirector. The document impersonates a cloud service, aiming to trick the user into clicking the malicious link. The ML classifier strongly indicated maliciousness, and the presence of a redirector URL suggests an attempt to deliver a secondary payload or phish credentials.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Cloud document impersonation lure medium SE_CLOUD_DOC_LUREDocument impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=htm+2+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/de60da_71aa31bfe97e462b9834505abb522392.pdf
- https://static.usrfiles.com/ugd/b8c837_2308741587624078afb1e30c1397e1a0.pdf
- https://static.usrfiles.com/ugd/cd79e3_10f8941f56b04a499c3d243e5ff71d52.pdf
- https://static.usrfiles.com/ugd/b8c837_79205009721042c7a088d05b4efaf80a.pdf
- https://static.usrfiles.com/ugd/7ea8bb_8e1c526ad7654c16b2d80eb7fec2f148.pdf
- https://static.usrfiles.com/ugd/b8c837_f638475c55ef479c915449acb3f40f13.pdf
- https://static.usrfiles.com/ugd/b8c837_574a037abe994a8a9fa4f279587cdbb0.pdf
- https://cdn.shopify.com/s/files/1/0434/8719/9394/files/pugowekug.pdf
- https://cdn.shopify.com/s/files/1/0432/4841/8973/files/encounter_shankar_movie_song_free.pdf
- https://static.usrfiles.com/ugd/b8c837_d17db36ffd7a4e5c8cbb7c4f97faa918.pdf
- https://static.usrfiles.com/ugd/b8c837_275cda56b0994275b542f2aee5bec5c1.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000065ec.bin590f61d8d049d2c1455fb6cb52af9c5e8ee3e87c9880186d1d051e37ac3e895f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x65EC | 4764 bytes |
font_01_sfnt_off00007619.bin77f7c47d405542a003b3b110a1fc6eb9e4cd7fed47184aee85e4c9dc0ebd326d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7619 | 10232 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.