MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded links that redirect to a known malicious domain, ttraff.com, disguised as a map review. This suggests an attempt to lead the user to a malicious site, likely for further exploitation or phishing. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=avenza+maps+review
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_d893d8d477614834b383787219da530e.pdf
- https://static.usrfiles.com/ugd/b8c837_f238e091b4624c17ab3f5cdfa4cb0bf1.pdf
- https://static.usrfiles.com/ugd/b8c837_1ff450ac5f9949308258a50bb3cd977b.pdf
- https://static.usrfiles.com/ugd/b8c837_27adc5cc3eed4076be5d6a00517034c0.pdf
- https://static.usrfiles.com/ugd/b8c837_862c4f1d31d44312968b00f8f603c91f.pdf
- https://static.usrfiles.com/ugd/b8c837_2162611fe1b243b7a8ade55af71b7961.pdf
- https://static.usrfiles.com/ugd/b8c837_704ef12faca146379862905ae61921d5.pdf
- https://static.usrfiles.com/ugd/b8c837_669cf7f73d7d47788a173a295d4e4d50.pdf
- https://static.usrfiles.com/ugd/b8c837_f17c6554e1ce4a27b2ea7a8688aa29ca.pdf
- https://static.usrfiles.com/ugd/b8c837_9e2cf96783db41a9a84eafb9309f6046.pdf
- https://static.usrfiles.com/ugd/b8c837_a3b7f89ebf664e7781ebe8447bac87b9.pdf
- https://static.usrfiles.com/ugd/b8c837_404adcd3ec914b3bad63c6b2875a2582.pdf
- https://static.usrfiles.com/ugd/b8c837_78dc4acaef3a41d4bac33137316ff669.pdf
- https://static.usrfiles.com/ugd/b8c837_4e146d0eb4fd48cd9c641ffc48614c7a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006b8c.bin57391c1bf65650f1ebad8f964bded61924ee8fdaa7d4be5ef15588578049209f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B8C | 5124 bytes |
font_01_sfnt_off00007cfd.bin7657eaf5bd1910106986bf41d081a15d8e227d1136bc4948804e2f551f03f8d8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7CFD | 10196 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.