MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is used to lure victims. The document body, though partially corrupted, contains text suggesting an urgency lure related to a police department report. The presence of numerous embedded links, many pointing to Shopify domains, suggests a link farm or SEO poisoning attempt to distribute malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=san+francisco+police+department+online+report
- http://files.americasyouthsports.com/uploads/1/3/0/7/130775665/tukisapo.pdf
- http://files.abugslife.blog/uploads/1/3/0/8/130873838/pobulitimivimin_bepumo.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0429/0058/6649/files/jademu.pdf
- https://cdn.shopify.com/s/files/1/0430/8670/8893/files/pharmacology_ebooks_free_download.pdf
- https://cdn.shopify.com/s/files/1/0433/3495/9259/files/weduzebezewujufujuw.pdf
- https://cdn.shopify.com/s/files/1/0433/6215/6702/files/24318191439.pdf
- https://cdn.shopify.com/s/files/1/0457/5248/3996/files/votusenezovaj.pdf
- https://cdn.shopify.com/s/files/1/0431/8691/3437/files/bipufapiwegate.pdf
- https://cdn.shopify.com/s/files/1/0432/8649/5396/files/25159488263.pdf
- https://cdn.shopify.com/s/files/1/0438/2385/7824/files/posevi.pdf
- https://cdn.shopify.com/s/files/1/0429/6926/8373/files/42455329142.pdf
- https://cdn.shopify.com/s/files/1/0433/8892/8150/files/dejarexedoma.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009741.bin67cddc7fceb5f63a84cfb75ebd6087a6e160ab0f27fa7a3ba8d433411f9584e9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9741 | 5404 bytes |
font_01_sfnt_off0000a97d.bin1419692c84f31b8095d5175eea4050a388af9d6b20e343da96c7dab036ec0dd2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA97D | 10604 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.