MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is 'https://ttraff.com/wix?keyword=small+engines+repair+manual', which is likely used to lure victims into a phishing or scam scheme. The PDF also exhibits characteristics of a link farm, suggesting an attempt to artificially boost SEO or distribute malicious links.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=small+engines+repair+manual
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_ab7a096ce89f4b098577212538215d70.pdf
- https://static.usrfiles.com/ugd/b8c837_39e4fce23e094c38b95c59222cf2cbd7.pdf
- https://static.usrfiles.com/ugd/0c4177_18aeac9e4a3b4d048367ba7223410c13.pdf
- https://cdn.shopify.com/s/files/1/0429/1405/4300/files/arabic_picture_dictionary.pdf
- https://cdn.shopify.com/s/files/1/0445/5543/6196/files/50664922285.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/57379697448.pdf
- https://cdn.shopify.com/s/files/1/0433/7664/0156/files/besharam_film_video_song.pdf
- https://cdn.shopify.com/s/files/1/0432/3993/2064/files/tales_of_two_wastelands_mods.pdf
- https://static.usrfiles.com/ugd/29c71c_862a6d17e41f41b0b699d4f007c65d32.pdf
- https://static.usrfiles.com/ugd/cbe7f7_8741e5ff11834de885ccc3d1dd370180.pdf
- https://static.usrfiles.com/ugd/a2e20a_0e9751210390466689040948e67affe5.pdf
- https://cdn.shopify.com/s/files/1/0428/1984/6311/files/86014912164.pdf
- https://cdn.shopify.com/s/files/1/0439/1642/7419/files/sorusatumobixoviwi.pdf
- https://cdn.shopify.com/s/files/1/0434/4984/3868/files/rubber_stamp_generator_photoshop_action.pdf
- https://cdn.shopify.com/s/files/1/0434/5180/9957/files/workplace_injury_report_form_victoria.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000689d.bin2ddfb6f8f0db00d2530e59c124f6c778d1c14ccc5a7a946c2f9237cecb48ee0e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x689D | 5240 bytes |
font_01_sfnt_off00007a52.bin5879962b1db921c73280ce2ab8503b81c052df8dfa1b86b3bdf1394caba1c7bc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7A52 | 10600 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.