MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded links, many pointing to PDF files hosted on external sites, indicating a link farm for SEO manipulation or to distribute further malicious content. One critical link directs to known malicious redirector infrastructure. The presence of a 'Password-protected archive handoff' heuristic suggests this document may be a lure to trick users into downloading an archive, which would then require a password provided by the document to decrypt a payload.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffmen.ru/aws?keyword=conjuguemos+spanish+login
- https://zawiferodabubap.weebly.com/uploads/1/3/4/4/134447725/sozowexusoleb-sopeze.pdf
- https://dimaxafazeza.weebly.com/uploads/1/3/1/4/131453031/nukexifepejisox.pdf
- https://mejawazur.weebly.com/uploads/1/3/4/2/134265830/8dd7d8ccbd.pdf
- https://cdn-cms.f-static.net/uploads/4369317/normal_5f8af52c1857c.pdf
- https://cdn-cms.f-static.net/uploads/4371247/normal_5f998d2b789f1.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://zerofizuko.files.wordpress.com/2020/11/canadian_c_spine_rule.pdf
- https://pavezisetapo.files.wordpress.com/2020/11/namejifefofiwikok.pdf
- https://paxajupivog.files.wordpress.com/2020/11/zikin.pdf
- https://minezonateta.files.wordpress.com/2020/11/71909694747.pdf
- https://jinugobax.files.wordpress.com/2020/11/45695055110.pdf
- https://pavokido.files.wordpress.com/2020/11/attestation_letter_of_good_character.pdf
- https://xanafegeze.files.wordpress.com/2020/11/20431748474.pdf
- https://ruvujawiwubu.files.wordpress.com/2020/11/up_tgt_pgt_notification_2016.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000442d.binbf0cbb718550a0336d9d674560dc6fae56e2493cdd7a034bb66850c501082f61 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x442D | 5116 bytes |
font_01_sfnt_off00005573.bince7b8876427e70515b0527f5b706872018748899e5c657b54fdeb34516ebfc33 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5573 | 11028 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.