MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a significant number of embedded links, identified as a link farm, with one prominent URL pointing to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains the same redirector URL and numerous benign-looking Shopify URLs, likely part of the SEO spam tactic to improve search engine ranking for the malicious link. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=basketball+uniform+jersey+psd+template
- http://files.primitivedreams.ca/uploads/1/3/1/4/131483361/gukemuxunakun.pdf
- http://files.learnfrombarrymaterials.com/uploads/1/3/1/4/131406498/xutofowewisiwo-luwowawa.pdf
- http://files.activatetransformperform.com/uploads/1/3/0/9/130969655/9906056.pdf
- http://files.yakimatietonirrigation.com/uploads/1/3/2/7/132741476/bipediwiwolusupun.pdf
- http://files.andrewjohnsart.com/uploads/1/3/1/0/131070112/048a769b1c9e3.pdf
- https://cdn.shopify.com/s/files/1/0430/8919/9268/files/karaoke_cd_g_creator.pdf
- https://cdn.shopify.com/s/files/1/0438/8922/9979/files/55638886915.pdf
- https://cdn.shopify.com/s/files/1/0437/3538/4225/files/luzilesemot.pdf
- https://cdn.shopify.com/s/files/1/0427/4490/5884/files/tupegesuzepanaxojabiforax.pdf
- https://cdn.shopify.com/s/files/1/0445/7952/0676/files/early_transcendentals_6th_edition.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/loxidunadubufurepetiverox.pdf
- https://cdn.shopify.com/s/files/1/0432/7456/7843/files/pajukadevukurarese.pdf
- https://cdn.shopify.com/s/files/1/0431/5004/9446/files/ext_glicol_calendula.pdf
- https://cdn.shopify.com/s/files/1/0437/4983/4901/files/analysis_of_financial_statements_project.pdf
- https://cdn.shopify.com/s/files/1/0428/6971/9196/files/91148069310.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004ea9.binbdb1aa911580f10fd043bd44b885739a28352985119c8acf97ed6f5839906c88 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4EA9 | 5620 bytes |
font_01_sfnt_off000061b3.bin7dbe9dbe43df17fee1dca026c3c689f6d1d667c02854278c31dba57b1b276c09 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x61B3 | 10336 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.