MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains multiple embedded URLs, with one identified as a malicious redirector. The ML classifier strongly flagged this PDF as malicious. The presence of a link farm and a redirector suggests an attempt to lure users to malicious content, likely for phishing or malware delivery. No scripts were extracted, and the document body was heavily obfuscated.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=cd+de+reggaeton+old+school
- https://cdn.shopify.com/s/files/1/0430/7478/1338/files/waste_to_energy.pdf
- https://cdn.shopify.com/s/files/1/0435/5047/4403/files/29613054228.pdf
- https://cdn.shopify.com/s/files/1/0431/6967/7474/files/stop_code_irql_not_less_or_equal.pdf
- https://cdn.shopify.com/s/files/1/0430/5109/0077/files/21144018463.pdf
- https://cdn.shopify.com/s/files/1/0431/6640/0673/files/tewagapexugasinojolobare.pdf
- https://static.usrfiles.com/ugd/9219f8_9c24eced67b8423bb43175970d9cc0e7.pdf
- https://static.usrfiles.com/ugd/b8c837_00019555e78f499daa8fb10badac18db.pdf
- https://static.usrfiles.com/ugd/314c35_fbba2843be7049098c24fe0f841348cd.pdf
- https://static.usrfiles.com/ugd/b8c837_d345e268873f4e8cafee38c42d1886bc.pdf
- https://static.usrfiles.com/ugd/d3758e_0c2ccaec1b7941508d68ac3e30f396d9.pdf
- https://static.usrfiles.com/ugd/b8c837_ddcf71396a3c463a99180d85e72960ff.pdf
- https://static.usrfiles.com/ugd/b8c837_d89f4c1daefa4a51ba6be8fbc032956c.pdf
- https://static.usrfiles.com/ugd/87a178_13268178e1c7445ea0b246b06b2e91b4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000644b.bin10c08b9c26dec14bbf570957a4b2841ec1f1f8154754404e5dce18902c4b7106 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x644B | 5104 bytes |
font_01_sfnt_off00007593.binb5554b11daf8569266ff18e89599a7a1733bcee794227080c99b82bc5e2b639d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7593 | 5064 bytes |
font_02_sfnt_off0000844d.bin35ecd46b29fb98b2d838001cde545901fea67c1763d98bae26df189902fd5381 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x844D | 15844 bytes |
font_03_sfnt_off0000b5e6.bind26fdce492fb9e8c49f527e3a91555393c735dd4d56e489be838b86a3f7c22b7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB5E6 | 16488 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.