MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
This PDF file was flagged as malicious by an ML classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be a lure for free movie downloads, which is a common social engineering tactic. The presence of numerous other PDF links further suggests a link farm designed to distribute malicious content or phish users.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=instructions+not+included+full+movie+free+online+with+english+subtitles+download
- https://7418f674-2c0d-4aab-b0a9-b3c82c85ebb1.filesusr.com/ugd/22bf55_2996813fab804c70ac614140ae5f59d5.pdf?index=true
- https://b99238c8-e439-4138-b09d-382ee5be8dd1.filesusr.com/ugd/dbad32_0f8ae9ccad5049e39328ec57d2e11f6d.pdf?index=true
- https://287bf550-846f-40a3-be98-89f4d742f747.filesusr.com/ugd/83d902_e255bbd331f04fe9a7db354fc127198f.pdf?index=true
- https://8207468b-5346-4efa-b4ec-20668b795335.filesusr.com/ugd/1e52da_dbcdfcd08f8b47af920e6d39ca3a0863.pdf?index=true
- https://1f10a155-8f5a-40c0-94e3-7d0eed565d3c.filesusr.com/ugd/a07927_1eec9642c16e464c8213c0b476fa3e98.pdf?index=true
- https://b272517a-5b55-4a35-b3de-f5af4d3f70a5.filesusr.com/ugd/008a9f_f67793011cbb4926b43f3214ca805882.pdf?index=true
- https://2719e65f-a13b-40d3-9321-aa0a6c35aa37.filesusr.com/ugd/f1780b_f9a5452c752745c3a09bdad24a231b3d.pdf?index=true
- https://5ce72fce-2b8d-49f6-9b9d-bbc761dbfaf3.filesusr.com/ugd/6da380_2bd5fb2cd9d64eecb85c54f1b2799d9b.pdf?index=true
- https://41d29d42-b2fc-4668-8396-db9c0ae1f164.filesusr.com/ugd/c1de29_a1ba916ff99e413da836dbcbd7905589.pdf?index=true
- https://bc1f8cdf-67a4-40a0-9212-e5375bdbfbf5.filesusr.com/ugd/035627_bed00ec9a41842cdbff514d30cabc889.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005cbe.bin586ddd306a688dc8607f3a3e5eef8ede4a6c4117e45d9657382d6908740b260e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5CBE | 5664 bytes |
font_01_sfnt_off00006fe9.binc0106083a1c11f12fd0aa8908d4eafd272c3ce13b64fa9dd55c3cf8fc07a25f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6FE9 | 10364 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.