MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1105 Ingress Tool Transfer
This PDF file contains embedded JavaScript that references a malicious redirector URL, 'https://ttraff.cc/pify?keyword=powershell+http+server'. The PDF also contains numerous links to external PDF files, many hosted on Shopify, suggesting a link farm or content distribution network. The embedded script and the redirector URL indicate an attempt to download and execute a second-stage payload, likely related to a PowerShell HTTP server.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 8
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=powershell+http+server
- http://files.northernnerd.com/uploads/1/3/1/4/131453990/vowojadi.pdf
- http://files.blueridgecreativeco-op.com/uploads/1/3/0/9/130969097/99655efb40dd3cf.pdf
- http://files.garrityrights.org/uploads/1/3/0/7/130738876/gupurarito-fopovilisagagox.pdf
- http://files.htsi-al.com/uploads/1/3/0/8/130874615/lotijawudinur-bexorif-ketesojawapobed-ratukuxiwozije.pdf
- http://:::8000/
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0432/4445/4051/files/77804599724.pdf
- https://cdn.shopify.com/s/files/1/0431/7803/3313/files/ratom.pdf
- https://cdn.shopify.com/s/files/1/0431/1970/6269/files/wezaxezur.pdf
- https://cdn.shopify.com/s/files/1/0435/5814/2120/files/91947700360.pdf
- https://cdn.shopify.com/s/files/1/0430/1189/9545/files/47003465374.pdf
- https://cdn.shopify.com/s/files/1/0435/9992/1315/files/rakebulawuzesufek.pdf
- https://cdn.shopify.com/s/files/1/0431/6889/1040/files/zobezabiwuzubupivabovepet.pdf
- https://cdn.shopify.com/s/files/1/0431/7193/8453/files/5_o_clock_in_the_morning_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0431/4189/0210/files/47457048234.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/74251218784.pdf
- https://cdn.shopify.com/s/files/1/0430/2585/8714/files/93867959982.pdf
- https://cdn.shopify.com/s/files/1/0431/9143/5422/files/zopuzurupabo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_0000bbe9.bin90498ca82930b274f55971e4fd0c1ceb0cc62a88d95001d1315ce045361607b5 |
pdf-embedded-script | PDF raw stream script payload at offset 0xBBE9 | 1585 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 shell/COM execution token(s).
|
|||
font_00_sfnt_off0000611a.bine32898344e13999e2557490d78073ffdaf3155238627d2c19694aa1cf7a638d1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x611A | 4848 bytes |
font_01_sfnt_off000071ad.bin8a942ae7eceab1a6755f7d78c5f8c4477d8e3926e284c0b54da2f92d52144167 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x71AD | 13832 bytes |
font_02_sfnt_off00009ee0.bina95eff378c135b1ab40d10b3cd1da1bafbc07f86005f57898d079c90d712ddbd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9EE0 | 16204 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.