MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting a lure related to downloading subtitles, which aligns with the malicious URL's keyword parameter. The presence of a large number of external PDF links further indicates a link farm designed to attract traffic and potentially distribute malware.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=instructions+not+included+english+subtitles+download
- http://files.sfventuresgroup.net/uploads/1/3/1/4/131453436/nugodileg.pdf
- http://pimaxebat.culturewcamy.com/uploads/1/3/1/4/131482997/wuvatadupi.pdf
- http://files.carolynbeckphotography.com/uploads/1/3/1/3/131398542/kananomaz-lelax-sijeves.pdf
- http://lanutumol.silvestretraining.com/uploads/1/3/0/9/130970023/7912774.pdf
- http://zijum.rusticcraftsandcalligraphy.com/uploads/1/3/1/3/131397971/fewuxivivadowunewu.pdf
- http://rafuva.ucfifc.com/uploads/1/3/1/4/131438562/6f12b6f.pdf
- http://loseg.klaboratory.org/uploads/1/3/2/7/132740292/c9997edc4145203.pdf
- http://files.positivegundogsmn.com/uploads/1/3/0/9/130969489/mitazimani.pdf
- http://vuwomozu.artculturevs.org/uploads/1/3/1/3/131379394/debazemololumobug.pdf
- https://729945ea-cbce-406d-b46a-d16a902c7abd.filesusr.com/ugd/3b0c81_f483f01346bb4f34bf0e936fa89a09d9.pdf?index=true
- https://cf505797-59e4-45b9-8581-72c3c54087f3.filesusr.com/ugd/086daf_6201ae6ae7144da5adadd7b83af50ebc.pdf?index=true
- https://6400b9b6-6235-4997-b3b3-f4fdd829f057.filesusr.com/ugd/850f07_2adeea68969b44258507cc32677ec577.pdf?index=true
- https://2b5056a8-0f83-4ebf-8984-fb562ecb60fa.filesusr.com/ugd/0a3240_0dcc4e493cca4617b875922de180057e.pdf?index=true
- https://c288effa-c602-44d5-bdda-130a8f103bb6.filesusr.com/ugd/4fea5c_c0e9b8681cc94cd6afe277b86721f8dc.pdf?index=true
- https://aebea561-ccd1-4e86-bad5-7dee463adaef.filesusr.com/ugd/704f6c_f43f32494c034218af6d216ccf3cfce7.pdf?index=true
- https://17ff2cc3-2cec-49ca-aeed-8a8503863754.filesusr.com/ugd/143c98_fed07c01df634489b35ed1bd6368e3e1.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008b62.bina17885b4fd577e0298a64705d5055d2ac7c2363fd7008e9cf236b3df412a17d8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8B62 | 2828 bytes |
font_01_sfnt_off0000955c.bin2e5319a98b0dc7c1ccf33dd3e943224b03aec760d28d7630b3883735a5b59721 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x955C | 5372 bytes |
font_02_sfnt_off0000a7a6.binf98dc044f95eea2402a91fe82bb59df1e35cf281c31bf800b4c6fab34ce7552a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA7A6 | 10236 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.