MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. The presence of a link farm suggests an attempt to manipulate search engine results or distribute content through numerous seemingly benign links, with at least one leading to malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=6.5+grendel+reloading+handbook+volume+2
- https://cdn.shopify.com/s/files/1/0430/0144/6554/files/crappie_fishing_report_sardis_lake_ms.pdf
- https://cdn.shopify.com/s/files/1/0430/5072/9634/files/tebomega.pdf
- https://cdn.shopify.com/s/files/1/0447/6986/9975/files/earth_porn_reddit.pdf
- https://cdn.shopify.com/s/files/1/0435/3366/4420/files/broadcasting_equipment.pdf
- https://cdn.shopify.com/s/files/1/0435/3989/0327/files/17311991663.pdf
- https://static.usrfiles.com/ugd/d78803_7cb0e9dc041145bb83eb69fcef2a4161.pdf
- https://static.usrfiles.com/ugd/b8c837_e3a2922c4e134e8986225f52af941c85.pdf
- https://static.usrfiles.com/ugd/b8c837_9ff3a7138cc3429ea17e92826c9049c5.pdf
- https://static.usrfiles.com/ugd/89064d_e5217a41c708412daf97e55049d39435.pdf
- https://static.usrfiles.com/ugd/5438e3_b7ed17f5b6c24851923b7dcfe117dcd4.pdf
- https://static.usrfiles.com/ugd/cec570_c6cdfe773182431da1fef807b961f98f.pdf
- https://static.usrfiles.com/ugd/760101_2f4f300dbbe74a7db9b972796bfeaa5b.pdf
- https://static.usrfiles.com/ugd/daca0d_659b19b148fd4cbcaccfa5a90b2d9bf9.pdf
- https://static.usrfiles.com/ugd/455f95_0751951fd6444aa2bd7a52139998de7a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000a6b5.bin04c0b2a26eac49199621caff00af2f5f07667fd393f43018fbd9dca2e40eb70f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA6B5 | 5672 bytes |
font_01_sfnt_off0000b9cf.binb05bc1a7553a895c4dd71d0d362aa99ab978a265c773783dc2730495bced5fbd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB9CF | 10920 bytes |
font_02_sfnt_off0000dee5.bin84d5bd19c210eb3b73ecc14096ab1e56fdfb5b80ce7ba4f0052c67c0c2b02727 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDEE5 | 16060 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.