MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous links, including one pointing to a known malicious redirector, 'https://ggtraff.ru/123?keyword=uc+davis+pre+health+conference+moderator'. This indicates a likely attempt to direct users to malicious content or phishing sites. The presence of a large number of external PDF links also suggests a link farm or SEO manipulation tactic. No scripts were extracted, but the embedded URLs and heuristic firings strongly suggest a malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/123?keyword=uc+davis+pre+health+conference+moderator In PDF document text
- https://cdn-cms.f-static.net/uploads/4379362/normal_5f8da92fc2e57.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4389603/normal_5f98981bf34c3.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4378379/normal_5f9102bcd996e.pdfIn PDF document text
- https://talowitutujuf.weebly.com/uploads/1/3/3/9/133999148/tisonozi-nonulowukoj.pdfIn PDF document text
- https://kotonimurapuva.weebly.com/uploads/1/3/4/4/134440920/ligukaselejavovada.pdfIn PDF document text
- https://xexovelez.weebly.com/uploads/1/3/0/8/130813416/2452101.pdfIn PDF document text
- https://koxoganonigowup.weebly.com/uploads/1/3/1/4/131408343/bitafume.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/kigavanus/afrikaans_gedigte.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0502/9396/5000/files/nujonapofuwatumokujab.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/54f28048-b3b6-47cd-ae37-eb7fd8314bba/46730199342.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2d0648eb-9553-4034-9df0-5e71a5270b1d/41743831442.pdfIn PDF document text
- https://s3.amazonaws.com/susopuzupure/2755406494.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0504/4640/1711/files/bonaire_evaporative_cooler_wont_turn_on.pdfIn PDF document text
- https://s3.amazonaws.com/zuxadol/jebukiralizit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/efb3fe50-7fb4-4316-8012-f7dc2ff87d96/vujobubixidabebajemixiset.pdfIn PDF document text
- https://s3.amazonaws.com/kakef/solar_system_research_project_5th_grade.pdfIn PDF document text
- https://s3.amazonaws.com/zirojopemup/rukobojuzowolebol.pdfIn PDF document text
- https://s3.amazonaws.com/gupuso/jowovafobedov.pdfIn PDF document text
- https://s3.amazonaws.com/bizamesuwepe/96300654667.pdfIn PDF document text
- https://s3.amazonaws.com/zepifudoxapo/58072103600.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3ed0dad8-f4e3-4c91-955d-61358c0966fd/tera_innerwear_guide.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0500/3503/2250/files/xos_launcher_full_mod_apk.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000066de.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66DE | 5444 bytes |
SHA-256: c98ceac2e912aca9656054fdc46f000a2ed9be45a5ea84775ec002a213beaeff |
|||
font_01_sfnt_off00007948.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7948 | 11208 bytes |
SHA-256: 1a8856711f930f9e75921abbdb26f82e80f8e16f22e0cbc36164f5d755bf59d7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.