MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains a large number of embedded links, with at least one identified as a malicious redirector. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, contains a URL that matches one of the embedded links, suggesting an attempt to lure the user to a malicious site for further exploitation.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/strik?keyword=vehicle+upgrade+console+subnautica In PDF document text
- http://files.chevalfarming.com/uploads/1/3/0/8/130814411/bb7e364348.pdfIn PDF document text
- http://files.barskinproducts.com/uploads/1/3/1/6/131606127/5f3ed592d.pdfIn PDF document text
- http://muned.livelaughlovedream.com/uploads/1/3/2/6/132695434/1063428.pdfIn PDF document text
- http://porofe.gavinwelshfarriery.co.nz/uploads/1/3/0/9/130969754/1179585.pdfIn PDF document text
- https://site-1040426.mozfiles.com/files/1040426/puwirigip.pdfIn PDF document text
- https://site-1038924.mozfiles.com/files/1038924/denir.pdfIn PDF document text
- https://site-1036874.mozfiles.com/files/1036874/lapobezoronis.pdfIn PDF document text
- https://site-1039676.mozfiles.com/files/1039676/papujipasewa.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://files.dofuspourlesnoobs.com/uploads/1/3/2/3/132303061/dumepisimo_wowanolemupi_jijug.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0433/4862/3510/files/47715775975.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0431/2812/7650/files/44_159_pink_pill.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0498/0034/7810/files/el_aguacate_es_una_fruta.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0496/7746/7801/files/61952545753.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0484/9041/4241/files/pelanoxovebiwibuxumi.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0486/2463/1976/files/jet_blue_jfk.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006e57.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E57 | 5440 bytes |
SHA-256: 530799d1c1af3a3934cb8d7917ac9dbdca7f0183ca86e18388d2da03eeacbd05 |
|||
font_01_sfnt_off000080c7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x80C7 | 10360 bytes |
SHA-256: d2c9fa36fee0c5d478cb4d3b9548bddce72caff13cf39113a24a715a1c72eed7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.