MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains embedded links, one of which, https://ttraff.com/pify?keyword=agency+cost+pdf, is identified as a malicious redirector. The document also exhibits characteristics of a link farm, with numerous external PDF links. The presence of invoice-related language suggests a lure to encourage users to click the malicious link, likely leading to further compromise.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=agency+cost+pdf
- http://files.apowersphotography.com/uploads/1/3/1/1/131164479/13b06.pdf
- http://files.keyestosafetyllc.com/uploads/1/3/1/1/131163976/kutupobeb_tefax.pdf
- http://files.herstoryhouse.com/uploads/1/3/1/4/131406840/cf059294a57a186.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0434/0151/1064/files/61406012472.pdf
- https://cdn.shopify.com/s/files/1/0438/2110/5309/files/rosobulebabiw.pdf
- https://cdn.shopify.com/s/files/1/0431/5699/6245/files/giwazefuvufebilusofe.pdf
- https://cdn.shopify.com/s/files/1/0430/4361/8965/files/hackflix_code_free.pdf
- https://cdn.shopify.com/s/files/1/0432/4065/2960/files/59844709182.pdf
- https://cdn.shopify.com/s/files/1/0431/5129/4619/files/xolajugenezawawetesef.pdf
- https://cdn.shopify.com/s/files/1/0431/1587/2423/files/dekezawovusininur.pdf
- https://cdn.shopify.com/s/files/1/0431/1918/1978/files/21902153199.pdf
- https://cdn.shopify.com/s/files/1/0428/6880/1702/files/bangla_quran_meaning.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000063d7.bin38a5599af512079e548f52057b4802b677dbf71a8cc952afb45d87b067ce3641 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x63D7 | 5076 bytes |
font_01_sfnt_off0000753c.bina57805bd8c4307592413be0c9de2b73fba30affb5971f3571f7cfcffff142824 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x753C | 10608 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.