MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to Excel VBA and a URL that appears to be part of a link farm designed to attract search engine traffic. This suggests an attempt to direct users to malicious infrastructure under the guise of providing technical information.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/wb?keyword=change%20the%20active%20worksheet%20in%20excel%20vba In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cdn.shopify.com/s/files/1/0484/1871/7864/files/41945068162.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0480/7933/9672/files/tolleys_yellow_tax_handbook_student_discount.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0434/0813/0213/files/wigirov.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0432/7761/5270/files/apk_for_pc_games.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0496/1465/1559/files/87309108403.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0490/0778/8199/files/reading_problems_and_solutions.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0500/3739/1558/files/gestion_du_stock.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0266/8104/9274/files/fizilogamom.pdfIn PDF document text
- https://s3.amazonaws.com/xanebavifamopez/wing_chun_fighting_techniques.pdfIn PDF document text
- https://s3.amazonaws.com/zetare/wikodizopolilisa.pdfIn PDF document text
- https://s3.amazonaws.com/mibiwivanetuj/les_neurones_cours.pdfIn PDF document text
- https://s3.amazonaws.com/mijedusovineti/49316213648.pdfIn PDF document text
- https://s3.amazonaws.com/wuniku/91335160339.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d9c963a1-0044-427d-b483-c64648b08ed6/bodeted.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fbf7a2f1-f477-4d33-84d7-0a3b2fbf01a5/15782372921.pdfIn PDF document text
- https://s3.amazonaws.com/kavitokolezub/autocad_2007_2d_basic_tutorial.pdfIn PDF document text
- https://s3.amazonaws.com/fasanag/properties_of_benzoic_acid.pdfIn PDF document text
- https://s3.amazonaws.com/mijedusovineti/jeboragagitibonorunez.pdfIn PDF document text
- https://s3.amazonaws.com/mibiwivanetuj/bakamelu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2c3a272b-f308-4fda-b30b-b7c82de8c40b/54566317531.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4e285a32-108e-43d1-abd2-1749c498ad32/taxivivujujan.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/73f4a378-0707-40ed-a2dd-9a63ccb9edf1/ciencias_auxiliares_de_la_criminalistica.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/76e6fce2-c030-47f0-9ee7-65f924ee464d/19865733512.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0000ac63.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xAC63 | 24436 bytes |
SHA-256: 66409e3fb1f29bf3804cde36be342ece6d4ed2116fa90505ad9df256f1594064 |
|||
font_00_sfnt_off00006ca4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CA4 | 5388 bytes |
SHA-256: c47cfef054b2e1541720184555290f3c21e0879fe3b8bfbcf415c6675db3c481 |
|||
font_01_sfnt_off00007eff.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7EFF | 2076 bytes |
SHA-256: e6b41424cbfbab56785d1d111fff896518f16f9ecc2d4d57a6cdabbdaf1573d2 |
|||
font_02_sfnt_off0000880d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x880D | 10764 bytes |
SHA-256: 0fc2a525f01bba672fdf0c549a4de1788d0fd8ea5a45377256c4f272be25fea9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.