MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a prominent link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the same text as the link's keyword, suggesting a lure. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be directing the user to a malicious URL.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=emergency+endodontic+treatment+pdf
- https://static.usrfiles.com/ugd/7598fa_493312956a794d439d9071f108eb4eaf.pdf
- https://static.usrfiles.com/ugd/cc15ef_c10c9bbb8e884487b39a28d271da57eb.pdf
- https://static.usrfiles.com/ugd/1b7c00_a3cfe8c3e8b145eda82c5ac40385b2d6.pdf
- https://static.usrfiles.com/ugd/3826db_8fda1ed7bc3741ddb8685315d64c20d8.pdf
- https://static.usrfiles.com/ugd/b8c837_33ace708e8524835b9e9b6d815723726.pdf
- https://cdn.shopify.com/s/files/1/0431/8127/7352/files/47972512764.pdf
- https://cdn.shopify.com/s/files/1/0438/2700/3549/files/pepsinogeno_funcion_pdf.pdf
- https://cdn.shopify.com/s/files/1/0431/8344/0030/files/kuvitedawetuzibidatobulu.pdf
- https://cdn.shopify.com/s/files/1/0431/5270/3645/files/22412922831.pdf
- https://static.usrfiles.com/ugd/ac72e0_8ff04ffe7419414688c14dca9532c6ac.pdf
- https://static.usrfiles.com/ugd/225520_3fd824ee2ace4d1a92d836edea4c7a4e.pdf
- https://static.usrfiles.com/ugd/b8c837_7c4e3d1d74f947e1ae4d67666191a89f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000bdb0.bina8640cb23b15ac802f89dd0648c07b7ad030d8b62c5f78624c3814794ace58c4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBDB0 | 1684 bytes |
font_01_sfnt_off0000c614.binca697c283277f490d53758c8c20aca66ef16fb7e7ef6d5d9597772835d9173a2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC614 | 5324 bytes |
font_02_sfnt_off0000d81e.binb455134215c1f127543c9e9325f175308c359cbf98b278a12a4b01fea3a88c9a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD81E | 6092 bytes |
font_03_sfnt_off0000e7f1.bin172426dd12c7970cea6e3e9b3d905837222b5947104df1802d953cd567ec5102 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE7F1 | 10268 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.