MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a large number of embedded links pointing to external PDFs hosted on disposable domains, a common tactic for SEO manipulation or distributing malicious content. One critical heuristic identified a link to known malicious redirector infrastructure, suggesting a potential for further malicious activity. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9890
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/strik?keyword=geometry+worksheet+angle+and+segment+addition+postulate In PDF document text
- https://site-1036691.mozfiles.com/files/1036691/27121280600.pdfIn PDF document text
- https://site-1037187.mozfiles.com/files/1037187/43382189321.pdfIn PDF document text
- https://site-1040669.mozfiles.com/files/1040669/7714628464.pdfIn PDF document text
- http://files.pureheartbody.com/uploads/1/3/1/4/131437018/999772aa1c5.pdfIn PDF document text
- http://files.designsbymeghan.net/uploads/1/3/1/3/131383813/184286d7bf2.pdfIn PDF document text
- http://xuxakuna.visaliaobgyn.org/uploads/1/3/0/7/130775683/ca3ef53f7.pdfIn PDF document text
- http://mivepazo.verseapack.com/uploads/1/3/0/8/130814591/e80dc7.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cdn.shopify.com/s/files/1/0427/9838/3260/files/camp_oak_hill_in_oxford_nc.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b0676b23-018a-4000-b080-6c7c04a5cf5d/58312029248.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/78345f92-8190-4d27-a329-6710cfc99bd4/25219192899.pdfIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000a566.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA566 | 2828 bytes |
SHA-256: 3b89a1333aa93e194de12c5c5da229a8f3a969ace6b07a90c5323b9ece6747ec |
|||
font_01_sfnt_off0000af61.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAF61 | 5664 bytes |
SHA-256: 0b163bebe25252f13135372505d8c19b096de70df875ea7fb6c23bd311bf34e9 |
|||
font_02_sfnt_off0000c29b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC29B | 12852 bytes |
SHA-256: 6e302521d0ab225541247f781b9831d1e1908b4aaffa1a5bcc07dcaee28e57bc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.