MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=axis+education+loan+form', suggesting a lure related to loan applications. The presence of a large number of external PDF links also points to a link farm or redirection strategy. The ML classifier strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=axis+education+loan+form
- http://zarupiv.vincentsgermanshepherds.com/uploads/1/3/2/3/132302868/2926444.pdf
- http://sotazuj.jaclynruth.com/uploads/1/3/1/6/131606289/5116045.pdf
- http://dagolebi.dmedicinewoman.com/uploads/1/3/1/3/131398591/9587046.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/toraladomokipina.pdf
- https://cdn.shopify.com/s/files/1/0436/3013/3408/files/2482804365.pdf
- https://cdn.shopify.com/s/files/1/0434/4132/4184/files/10333093313.pdf
- https://cdn.shopify.com/s/files/1/0447/9270/9271/files/art_and_design_evaluation_sheet_ks2.pdf
- https://cdn.shopify.com/s/files/1/0429/3004/5091/files/borg_dyspnea_scale.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/fofigez.pdf
- https://cdn.shopify.com/s/files/1/0431/2327/7973/files/kexofanemewuxote.pdf
- https://cdn.shopify.com/s/files/1/0435/8674/8579/files/pifadizutasi.pdf
- https://cdn.shopify.com/s/files/1/0427/9376/2975/files/dufokixasagebup.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/80804151078.pdf
- https://cdn.shopify.com/s/files/1/0438/2582/3904/files/79755903322.pdf
- https://cdn.shopify.com/s/files/1/0437/8525/7112/files/zekesimikotugu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006be3.bin967ac2817a36cf7a9c2f8bd19d0b23d8f62d9f6e8c407af1aac45989cd8afc9d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6BE3 | 5224 bytes |
font_01_sfnt_off00007d83.bind8ad8492ea202df75bccc777d1e57e6714e8b757d4a823a3ab9adf9f3df20ac9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D83 | 10152 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.