MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, disguised with a keyword that suggests educational content. The PDF also contains a large number of external links, many of which point to PDF files hosted on various domains, suggesting a link farm or a method to distribute further malicious content. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=geocultura+capitulo+5+answers
- http://femig.theperfecthealing.com/uploads/1/3/0/7/130739726/6921715.pdf
- http://bixulasi.gouveiaslandscaping.com/uploads/1/3/1/3/131381088/6376f02fa944.pdf
- http://nulumijoz.adrienneghaly.com/uploads/1/3/0/8/130814297/ee0a4a4.pdf
- http://sexusoz.memorial-videos.com/uploads/1/3/2/6/132681337/1f86b9e.pdf
- https://22a9cc9e-99bc-4ea2-ba81-3e5fe113fbe9.filesusr.com/ugd/45fd81_2b54c4ccd75843749ee31be32f4f4bbf.pdf?index=true
- https://90fb0914-8ef7-4cb1-8537-30cbb870784f.filesusr.com/ugd/9bd8c3_127f3b2ac4234e4abb9b0d6df46e0bb1.pdf?index=true
- https://142d726b-d393-41ec-a78d-73165bc0f51b.filesusr.com/ugd/58a813_6469173773934ff8b4b74dcad60a6bda.pdf?index=true
- https://4787194f-c696-4bab-8715-2583618c7057.filesusr.com/ugd/f08e01_2faccb2751c54149b56ec78cb5627d90.pdf?index=true
- https://3bc69e9a-7435-4d9d-b345-d51e496c381c.filesusr.com/ugd/067ecb_2e0db4199eb742379e182dfa20dd02da.pdf?index=true
- https://6384adf7-2cd7-46df-9afb-a79356f838dd.filesusr.com/ugd/2994dd_7cd72d3f3bf241f1af0ef3478f9dd72b.pdf?index=true
- https://9f7253c2-dce7-4b3a-a874-8998e57e0111.filesusr.com/ugd/f0e51d_2b863b4a02144a39b4aecbc3da08eee0.pdf?index=true
- https://5c64502b-16c6-4afa-8f6c-202a7cb8328a.filesusr.com/ugd/3be3a7_b287f0e2e0fc4a9499b7bf6a39b4e3f7.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006031.bin8d2dafcb25e30fec08d2d699ef7fb20bbd8c7c5c8fc5f5ef0de79ab909a7b69d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6031 | 5176 bytes |
font_01_sfnt_off000071f0.bin14471c552f7074c96bc8a895aab4a04961658f0ad738fe92fbea6958aa4f67d0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x71F0 | 10452 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.