MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF was flagged as malicious due to a critical heuristic indicating it links to known malicious redirector infrastructure. Additionally, it contains a mass external PDF link farm, suggesting a potential SEO manipulation or phishing scheme. The embedded URL 'https://ttraff.link/pify?keyword=supernatural+season+12+episode+guide+wiki' is a primary indicator of malicious intent, likely serving as a redirector to a malicious payload or phishing page.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/pify?keyword=supernatural+season+12+episode+guide+wiki
- https://static.usrfiles.com/ugd/b8c837_81171a28561940d09ed1a8e461cc24b1.pdf
- https://static.usrfiles.com/ugd/1df9ea_b4e807f06bde4aa9bc8065c25a75b6cc.pdf
- https://static.usrfiles.com/ugd/1715bf_afa1ca39c21149e6bc1d6ba5cf41fa05.pdf
- https://cdn.shopify.com/s/files/1/0430/7366/7225/files/jagamuxoxukadejukeseg.pdf
- https://cdn.shopify.com/s/files/1/0434/0993/2440/files/4323058619.pdf
- https://static.usrfiles.com/ugd/35c6e2_22d28e7d80f940f58b055cdf72065461.pdf
- https://static.usrfiles.com/ugd/a44510_1024faa85b654fcea552f2c136d46b5e.pdf
- https://static.usrfiles.com/ugd/b5472a_3988128c131843c5aec1b82f0da3342a.pdf
- https://static.usrfiles.com/ugd/b8c837_baadac04fac64f9b8afedd72cb7e4441.pdf
- https://static.usrfiles.com/ugd/c0b427_73f29cc4324240408f789fe72fa0ba1d.pdf
- https://static.usrfiles.com/ugd/bb13a2_47bd640941d94a6ea360002508ab734f.pdf
- https://static.usrfiles.com/ugd/9219f8_6a02a7de4f62403d837977248fe8abd8.pdf
- https://static.usrfiles.com/ugd/d6b5da_619efb0886bd484f8d2f6665a7cd6166.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009af3.bin580f850f992a5c9494084304a93692ca0474e6d2ff783ce289afc58d6e100168 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9AF3 | 5568 bytes |
font_01_sfnt_off0000ae07.bin1833412e7971b87e1499dee9b5594d82c9859ed41762cce497b9d1d9ee4b813e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAE07 | 10240 bytes |
font_02_sfnt_off0000d145.binbff7b36378b37ff37dbf51435b761c6740d96b47e0e79897bb378602cf810c78 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD145 | 16236 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.