MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file was flagged as malicious by an ML classifier and contains a large number of external links, many of which point to a link farm hosted on static.usrfiles.com. One of the embedded URLs, https://ttraff.cc/wix?keyword=enfoque+mixto+segun+sampieri+pdf, is identified as a known malicious redirector. The document body appears to be obfuscated or corrupted, but the presence of the wkhtmltopdf authoring application and a date suggests it was programmatically generated.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=enfoque+mixto+segun+sampieri+pdf
- https://static.usrfiles.com/ugd/b8c837_7e178cdb969847e5933a8d0d38cee5e7.pdf
- https://static.usrfiles.com/ugd/b8c837_2a6ee4b485994e83a8f61d18f6b92ae3.pdf
- https://static.usrfiles.com/ugd/cf79db_21c7ecfb0fdc45a0979c8e542584d028.pdf
- https://static.usrfiles.com/ugd/ce14f3_d5d7bc47b1634256afa92983ba8b0330.pdf
- https://static.usrfiles.com/ugd/2ac701_515153d72caa46d0972caadb510fcaa8.pdf
- https://cdn.shopify.com/s/files/1/0432/8125/2512/files/katazomalet.pdf
- https://cdn.shopify.com/s/files/1/0432/3170/7294/files/arya_2_karige_loga_song_free_downloa.pdf
- https://static.usrfiles.com/ugd/9ff9b8_e3bb57fcede84a5db0aaff266f8c97db.pdf
- https://static.usrfiles.com/ugd/b8c837_34673d49eded4ce1b9fad9f5457f82a1.pdf
- https://static.usrfiles.com/ugd/12745a_a41fd88fa46042a28f97d463c26403ea.pdf
- https://static.usrfiles.com/ugd/ce0e6d_dcde245d85634fc3872a98b793ec7c09.pdf
- https://static.usrfiles.com/ugd/b8c837_87458f3efb3744c78231bbfa0f50a625.pdf
- https://static.usrfiles.com/ugd/c63dba_835c5014640c44e7af2b85728662c774.pdf
- https://static.usrfiles.com/ugd/b8c837_4d839e889e1743e389a3da0ab895b5a3.pdf
- https://static.usrfiles.com/ugd/b8c837_4c523a31869c47538eeaff3ab465aa72.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/b8c83
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009b0f.bin2ea80cb383dfe52166310033f727585fc380fa8c5d76e04c7f1b9e1157eeec8b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9B0F | 5480 bytes |
font_01_sfnt_off0000ada0.bind94c2ff9b509532f7b52bbbb3a71376335ae3c7aadbfb402b33444d12306fa91 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xADA0 | 11688 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.