MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=avery+insertable+dividers+11200+template', which is flagged as malicious. The presence of a large number of external PDF links, many of which are on Shopify domains, suggests a link farm or SEO manipulation tactic to obscure the malicious redirector.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=avery+insertable+dividers+11200+template
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0438/0898/1153/files/black_friday_full_movie_filmywap.pdf
- https://cdn.shopify.com/s/files/1/0433/1733/0075/files/helping_linking_and_action_verbs.pdf
- https://cdn.shopify.com/s/files/1/0431/4942/6845/files/17167386245.pdf
- https://cdn.shopify.com/s/files/1/0439/5397/9550/files/freeview_tv_guide_bbc_scotland.pdf
- https://cdn.shopify.com/s/files/1/0427/4782/2236/files/the_abc_s_of_calculus_volume_1.pdf
- https://cdn.shopify.com/s/files/1/0432/5926/5188/files/55862189361.pdf
- https://cdn.shopify.com/s/files/1/0431/4939/4080/files/temporary_internet_files_location_has_changed.pdf
- https://cdn.shopify.com/s/files/1/0434/4204/5090/files/vutisawodi.pdf
- https://cdn.shopify.com/s/files/1/0449/7866/7688/files/juzebadizovezapazawam.pdf
- https://cdn.shopify.com/s/files/1/0433/3672/8726/files/3179115928.pdf
- https://static.usrfiles.com/ugd/b8c837_c87ef679b29142e49da0f635fd75b637.pdf
- https://static.usrfiles.com/ugd/162fe6_e103db3e90b24528b2e15e3d7cad9853.pdf
- https://static.usrfiles.com/ugd/b8c837_7450f0a71b8442cc90548803a306cbe0.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006335.bin1e12f78698a55fc50d0031e672c3b6bfa18ee17a90476f5cfadc60591520e9d7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6335 | 5720 bytes |
font_01_sfnt_off000076aa.bin78edb5417bfa6cf7b80f0044be65ad9d3e0d6cad487874d3e28bdf420179fea9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76AA | 13660 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.