MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded links that redirect to malicious infrastructure, specifically a URL associated with a redirector. The document body, though heavily obfuscated, contains text that appears to be a lure for 'staff details form template'. The presence of numerous external PDF links further suggests a link farm or redirection scheme designed to obfuscate the final malicious destination.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=staff+details+form+template
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/2f3ac6_f6419b2d3bab48cea60a8b306e1638db.pdf
- https://static.usrfiles.com/ugd/9ec29b_75bcf09dea20401da347e336bc130d03.pdf
- https://static.usrfiles.com/ugd/c0fca2_bd3fb25c6c1246c7a4fad9b391bc9d75.pdf
- https://static.usrfiles.com/ugd/fd7405_14aa4528646b48b19090d39e51a5dee4.pdf
- https://static.usrfiles.com/ugd/a4e402_19882c65d4e148ce9fea484dab992c5a.pdf
- https://static.usrfiles.com/ugd/18574e_d4cee71c15f04d36912c99e834a1ff89.pdf
- https://static.usrfiles.com/ugd/921909_a80dc0eaf60a44c69a51662ecd4f619f.pdf
- https://static.usrfiles.com/ugd/29c71c_24f82ca5a25d4675b047d4acf444e376.pdf
- https://static.usrfiles.com/ugd/a8cc01_e1124ca7d12248739136e1b9763d72de.pdf
- https://static.usrfiles.com/ugd/f4de5e_21813ccdb905468d9471c7f4c37a4cac.pdf
- https://static.usrfiles.com/ugd/565485_e26beee54d654acbb73bffc48ebf02db.pdf
- https://cdn.shopify.com/s/files/1/0433/9456/4252/files/70565930881.pdf
- https://cdn.shopify.com/s/files/1/0430/8929/7568/files/musawojonelulowad.pdf
- https://cdn.shopify.com/s/files/1/0431/4103/8229/files/lowemuxaputagimudamap.pdf
- https://cdn.shopify.com/s/files/1/0430/9378/6791/files/94689789609.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000070a0.bin0bb42da85977ece76c503c501b552d93d08c5e48de1d636787bd0b6dc6ffbdfd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x70A0 | 5292 bytes |
font_01_sfnt_off00008289.bindfa5b329e2debc92bbed98c6b5aadf94edf7dd379a0cda81037120d59380b8ad |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8289 | 15988 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.