MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document contains a lure to download a specific technical document, which is a common social engineering tactic. It embeds numerous links, including one to a known malicious redirector at 'ttraff.com', and many others pointing to PDF files hosted on various domains. These links are likely part of a link farm designed to manipulate search engine results and lead users to malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=descargar%20nfpa%2070e%202018%20gratis%20espa%C3%B1ol%20pdf#descargar+nfpa+70e+2018+gratis+espa%25C3%25B1ol+pdf
- http://files.daisysrdc.com/uploads/1/3/0/8/130814279/sixarur.pdf
- http://files.jewellhjohnson.com/uploads/1/3/2/8/132816158/252b1d3f634b0.pdf
- http://files.vcgallery.org/uploads/1/3/1/8/131856381/rokererukirejakifu.pdf
- http://files.matchmypartytheme.com/uploads/1/3/0/7/130775651/rujezela_jawabar.pdf
- http://files.morroandjasp.com/uploads/1/3/0/9/130969375/wojerodijudo.pdf
- http://files.vonderhauswulfgermanshepherd.com/uploads/1/3/0/8/130813797/fivepeno.pdf
- http://files.judicheco.com/uploads/1/3/1/6/131607712/9605056.pdf
- http://files.jjjohnsonauthor.com/uploads/1/3/1/4/131437268/lotoxaboxubuw.pdf
- http://files.negsbestthing.com/uploads/1/3/2/8/132815961/riwemuto.pdf
- http://files.monfortestatesdacula.com/uploads/1/3/2/6/132681002/226bb98.pdf
- http://files.straymongrel.com/uploads/1/3/1/8/131871894/4cc60b638a0f8e.pdf
- https://fuwowob.files.wordpress.com/2020/06/divusojejijolewirugomumat.pdf
- https://jebituren.files.wordpress.com/2020/06/17604081305.pdf
- https://pekakupesile.files.wordpress.com/2020/06/33603993726.pdf
- https://zonaselid117862540.files.wordpress.com/2020/07/79286466529.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007c8e.bind97ca065a8bb8db7e922b63fafc8572e11f6bf9c3ecbb10e6fb313e68ae4ddcf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7C8E | 5920 bytes |
font_01_sfnt_off0000908b.bine195a141e77beff56780ae76afd1201b6972b6650f72e4d9dd24d8e146d76831 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x908B | 11520 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.