MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded URLs and heuristic firings indicating it is a malicious redirector. The document body, though heavily obfuscated, contains text related to passport collection and a URL that matches the malicious redirector found in the heuristics. The ML classifier strongly flags this PDF as malicious, and the presence of a malicious link suggests a phishing or credential harvesting attempt.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/strik?keyword=authorization+letter+to+collect+passport+vfs
- https://cdn-cms.f-static.net/uploads/4424011/normal_5f9ed1b530a01.pdf
- https://cdn-cms.f-static.net/uploads/4391909/normal_5f9246ab22cbb.pdf
- https://nubojubixuxo.weebly.com/uploads/1/3/1/4/131410311/0a45d.pdf
- https://cdn-cms.f-static.net/uploads/4393179/normal_5f974cebdb65d.pdf
- https://cdn-cms.f-static.net/uploads/4409630/normal_5f96bf24a6512.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://uploads.strikinglycdn.com/files/b5e07736-80b5-4dfb-a1a0-0947fc76a5b2/8238696793.pdf
- https://uploads.strikinglycdn.com/files/8102e29f-ad65-4dfd-aa52-9361c5e74764/kidewagipobefawixi.pdf
- https://uploads.strikinglycdn.com/files/6ca3fc2a-013f-433f-b87f-f2554a3c56ef/crack_the_core.pdf
- https://s3.amazonaws.com/wilugugo/metso_jaw_crusher.pdf
- https://s3.amazonaws.com/kudowo/46280749441.pdf
- https://s3.amazonaws.com/vitelitubovuluj/bakery_and_coffee_shop_business_plan.pdf
- https://uploads.strikinglycdn.com/files/cab6f787-993c-4f9b-b49f-437e8402875e/47493647948.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000621b.bin402b927b76d022e79a51e67165727f0f79bc679240c8ad6d2c430c8ece895946 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x621B | 5084 bytes |
font_01_sfnt_off0000736b.bind351d777ef5eb925f3e23aa62bc40edb31e44e80a94b0729e0f066a4f4f98fb9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x736B | 10328 bytes |
font_02_sfnt_off000096bc.bina542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x96BC | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.