MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains embedded links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting a report title, likely a lure. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm designed to obscure the ultimate malicious destination. The ML classifier strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=informe+auditoria+de+sistemas+de+informacion
- http://dikanosob.northbeamfinancial.com/uploads/1/3/0/8/130814297/3a95497b29.pdf
- http://files.thebeamtravel.com/uploads/1/3/1/4/131406140/mexudowaforujav.pdf
- http://files.latavolamarche.com/uploads/1/3/1/3/131380052/6fe53fc.pdf
- http://files.conciergepainrelief.com/uploads/1/3/1/6/131606206/kofopije-lofafemax.pdf
- http://files.guldbrikken.dk/uploads/1/3/1/4/131437225/pesumo_jiwonedo_nezukudomal.pdf
- https://cdn.shopify.com/s/files/1/0433/8499/5991/files/85190975282.pdf
- https://cdn.shopify.com/s/files/1/0429/8548/8543/files/28983667366.pdf
- https://cdn.shopify.com/s/files/1/0438/3621/1362/files/bandar_malaysia_project.pdf
- https://cdn.shopify.com/s/files/1/0437/8332/3806/files/61347096009.pdf
- https://cdn.shopify.com/s/files/1/0429/4138/2812/files/alone_again_piano_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0431/7619/8305/files/c._r._e_form_one_notes.pdf
- https://cdn.shopify.com/s/files/1/0437/7811/3697/files/66891413359.pdf
- https://cdn.shopify.com/s/files/1/0430/0649/2823/files/pevapapiluwejemukoxigu.pdf
- https://cdn.shopify.com/s/files/1/0437/5861/6733/files/pebabagogule.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005ff6.bin192e9d533813016a4e0c1bdb71cadcb8b9c4887b6438c1ff1c773a8132389105 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5FF6 | 1604 bytes |
font_01_sfnt_off0000681a.binadb2cbd13ba30ff985c801e0d025c9c0e695babc63e4532f75026021771ca46d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x681A | 4956 bytes |
font_02_sfnt_off000078ca.bin590fb2330137dc7989dcf74c0772c2244dad9b628ac1cb6bc0b86ef7d994ad1c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x78CA | 10712 bytes |
font_03_sfnt_off00009bec.binc988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9BEC | 16204 bytes |
font_04_sfnt_off0000b11b.bin4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB11B | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.