MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
This PDF file contains numerous links to external websites, many of which are associated with malicious redirector infrastructure. The document also includes a lure to execute commands via the clipboard, suggesting an attempt to download and run a secondary payload. The ML classifier strongly indicates malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cctraff.ru/aws?keyword=split+pdf+mac+command+line In PDF document text
- https://vodexekuteb.weebly.com/uploads/1/3/0/7/130776001/pilukane_vegezefuromi_pawonurat_puxopudofifa.pdfIn PDF document text
- https://dokakida.weebly.com/uploads/1/3/1/3/131380589/33e165fce2.pdfIn PDF document text
- https://jatasurow.weebly.com/uploads/1/3/4/3/134358583/wimanezedo.pdfIn PDF document text
- https://sefedajexoxoj.weebly.com/uploads/1/3/4/4/134479396/gakuv.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375886/normal_5f8fc8233921e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4392472/normal_5f9645b528730.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365635/normal_5f87520446ff7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366376/normal_5f884af7cd337.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366620/normal_5f880b0df2b24.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/4b206f3a-0baf-480f-ad62-093b853ace49/bupoge.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0c9b2680-7580-4755-b855-548adc59dcb0/98472526642.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e9a8ce33-0428-47e4-9062-f2c1430edc86/givomosisaxeguj.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5cfed350-9e07-4088-b929-34f703def115/42795468182.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e458d815-aa96-40f9-b8ef-33aef2d538f0/pajojitazanupugu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/99e13e99-1bfc-4729-a4c3-a4403af5cb8e/84084461367.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f3fd7547-8c6f-4e7f-9263-e37f9c36f9c3/99050964267.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e4b999c4-a0b2-4440-af89-5222a55d1792/nanatsu_no_taizai_284.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0e4875a1-c47d-4706-93bc-7238bb396821/18031193797.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/49ce1e5f-573e-4e8a-ba8c-cc1ed260c14f/82837932982.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fc875905-a603-4762-af3e-48f6a38f8ca6/king_andrew_the_first_political_cart.pdfIn PDF document text
- https://s3.amazonaws.com/mijedusovineti/verb_adverb_adjective.pdfIn PDF document text
- https://s3.amazonaws.com/napejaxosinages/dieta_cetogenica_ejemplo.pdfIn PDF document text
- https://s3.amazonaws.com/wefadep/ejercicios_de_capacitores_en_serie.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006cda.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CDA | 5128 bytes |
SHA-256: f6ee13ec2cb1f313096f16b44dfe09705458509a5df5cb3abb85897af7774404 |
|||
font_01_sfnt_off00007e35.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7E35 | 11488 bytes |
SHA-256: 00f51ded428008464481dec21108b2a7ab92c2da86c8fa5fd73a539684e6d80b |
|||
font_02_sfnt_off0000a59a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA59A | 16388 bytes |
SHA-256: 2cadb2ae25cea88cb182acc54f62d1c218aef5f2772c4081b94d5d3cddde1204 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.