MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a malicious redirector link disguised as information about an "order of the arrow ceremony medallion". The link, https://ttraff.cc/wb?keyword=order%20of%20the%20arrow%20ceremony%20medallion, leads to known malicious infrastructure. The document also functions as a link farm, containing numerous external links, many of which are to PDF files hosted on file hosting services. The ML classifier strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wb?keyword=order%20of%20the%20arrow%20ceremony%20medallion
- https://b0e54344-d9a1-4599-b03f-3b66bb59a070.filesusr.com/ugd/7e0eb0_6fd3b68791e94e1393dacc354abaf7e8.pdf?index=true
- https://223149a4-a6d0-42c8-a908-64450aef40e9.filesusr.com/ugd/07e02c_700c7945b563448faa2654181a9f65ec.pdf?index=true
- https://cf6357f1-09b1-48b2-b0b6-4eb22f1a63b0.filesusr.com/ugd/d8966e_f966b5db0d1e406a95d4c4ac1f0d2035.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/1135/0439/files/rotalaju.pdf
- https://cdn.shopify.com/s/files/1/0427/4782/2236/files/ethereum_blockchain_technology.pdf
- https://cdn.shopify.com/s/files/1/0430/7301/1865/files/21089072240.pdf
- https://cdn.shopify.com/s/files/1/0436/9511/2345/files/the_edge_of_never_free_download.pdf
- https://cdn.shopify.com/s/files/1/0428/3501/7884/files/gitajaboxemerebifilinaj.pdf
- https://cdn.shopify.com/s/files/1/0435/1007/1460/files/fomubereguvenoxerafunolam.pdf
- https://cdn.shopify.com/s/files/1/0429/2149/2643/files/shoulder_impingement_home_exercises.pdf
- https://cdn.shopify.com/s/files/1/0434/1914/0252/files/90321385595.pdf
- https://2254c940-43b1-4dd1-bf19-635a1797d41c.filesusr.com/ugd/0f9ef0_9becac8ec7bf4ec4bd6bdac24b8df963.pdf?index=true
- https://5b6bbb5c-f82a-4365-a926-a49a6462138b.filesusr.com/ugd/d2057d_f89209c7428141cda334c176ae8fab93.pdf?index=true
- https://a095a58d-c569-44c0-a0d9-3216265923e5.filesusr.com/ugd/bc0b97_7b24db3aea78418a866987abbe18815e.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010383.bin118457b8939a093f30dec2e848ed560375148065b743aa6e2ddbd7c2a7a50e59 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10383 | 5304 bytes |
font_01_sfnt_off0001157b.bin933a0f7f930ec3c50df18bcc0cc96cb505d92a3ae728f9c3304ffb5ba31d3817 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1157B | 10252 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.