MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF document contains a large number of embedded links, many pointing to the same domain, which is indicative of a link farm. One of these links, 'https://ttraff.club/wix?keyword=rescission+notice+form', is identified as a malicious redirector. The document's content, though heavily obfuscated, appears to be a lure for a 'rescission notice form', likely intended to trick users into visiting the malicious URL. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=rescission+notice+form
- https://static.usrfiles.com/ugd/bf0735_b697c5e2d4c1440289e73abc1d542b3a.pdf
- https://static.usrfiles.com/ugd/1cc7e8_1b68461b940e4105acc64735008696f4.pdf
- https://static.usrfiles.com/ugd/9ea9b6_d51cd46778814f1691e3f0ca1b1a49bc.pdf
- https://static.usrfiles.com/ugd/88a84f_bdc537521fd94279a894bd34f44b8ef3.pdf
- https://static.usrfiles.com/ugd/c0b427_9d01b499e7504c579058eb81055a85f0.pdf
- https://static.usrfiles.com/ugd/b8c837_b8649b4894614051aeb2fadee47746f0.pdf
- https://static.usrfiles.com/ugd/de65f7_3d5dd38b07aa4665b0169164cca7d97f.pdf
- https://static.usrfiles.com/ugd/ef253e_068a4cd272964117aedc2138b8a155b9.pdf
- https://static.usrfiles.com/ugd/0c60a0_6b47a8cdc38948ffb516765809edb04f.pdf
- https://static.usrfiles.com/ugd/69b86f_f661e4667d0b44f7bccb091ec7cd2ef6.pdf
- https://static.usrfiles.com/ugd/c4ccc4_9960d8e8dd6544018302320803dfd4db.pdf
- https://static.usrfiles.com/ugd/ed64d2_3622eb6b3a12424da278610a3a6dcf81.pdf
- https://cdn.shopify.com/s/files/1/0439/8556/7902/files/names_of_god_in_the_bible_and_their_meanings.pdf
- https://cdn.shopify.com/s/files/1/0438/1714/0386/files/nvalid_request_authentication_expired.pdf
- https://cdn.shopify.com/s/files/1/0433/6222/2232/files/putumobozapisefoxelevur.pdf
- https://cdn.shopify.com/s/files/1/0434/3631/0678/files/13067213073.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005d7f.binc1b70205ea3d660e3e9603d939730202cb54acb2d93c636e939f28c5bd4d701f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5D7F | 4792 bytes |
font_01_sfnt_off00006dbd.bin3625beb51f0c510dc7de0e06754d15b31422c2644754d37f4d62aae1bc5bc369 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6DBD | 10348 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.