MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=alpha+protocol+conversation+guide'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure for 'Alpha protocol conversation guide'.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=alpha+protocol+conversation+guide
- https://cdn.shopify.com/s/files/1/0433/5340/7646/files/gelezi.pdf
- https://cdn.shopify.com/s/files/1/0428/2338/5247/files/42828339585.pdf
- https://cdn.shopify.com/s/files/1/0434/8103/9013/files/73208683239.pdf
- https://cdn.shopify.com/s/files/1/0440/7712/1686/files/62785195723.pdf
- https://cdn.shopify.com/s/files/1/0446/6769/9353/files/bcd_7_segment_decoder.pdf
- https://cdn.shopify.com/s/files/1/0437/8135/7725/files/jay_z_discography_torrents.pdf
- https://cdn.shopify.com/s/files/1/0454/5793/2446/files/critical_theory_in_english_literature.pdf
- https://232c5590-82b3-405a-a496-d82b2e8c9149.filesusr.com/ugd/bf57b5_bba6b302757c44cf9481ff458b46f2e3.pdf?index=true
- https://3e09f235-fcc5-4da5-8c04-1a52101c697d.filesusr.com/ugd/96564c_a2cff9ec262c4f30bbafc863e70a459a.pdf?index=true
- https://83f56655-92b4-4636-ae04-be999e702dfb.filesusr.com/ugd/105a8c_4555fd68638349d1bb7ab705fb8027a3.pdf?index=true
- https://cbe580ec-a89b-45f3-ab07-c1019b401888.filesusr.com/ugd/d90490_82589bf31a324b23a4a012e40e7c0f3d.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012ddc.bin62cd9586ac90e9a922a989881eb98f4d47373282172154a8f2686ccdf1b5c8ec |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12DDC | 5264 bytes |
font_01_sfnt_off00013fb6.bin4a69ff9b708132b7b7b50977e87a0cc5965c27dca648a89bcebd72d4caf0ceb0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13FB6 | 16556 bytes |
font_02_sfnt_off0001725b.bince7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1725B | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.