MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a significant number of embedded links, with a critical heuristic identifying it as a link farm. One of the primary links directs to a known malicious redirector service, 'ttraff.ru', which is likely used to obscure the ultimate malicious destination. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=borland+c+3.+1+pdf
- http://files.hannahfairchild.com/uploads/1/3/0/8/130814056/zunowefinubin-barenojajuve-fibetopiwegobu-tokibiwi.pdf
- http://files.lennoxweb.com/uploads/1/3/2/6/132696030/291007.pdf
- http://files.testsiteforhsct.info/uploads/1/3/2/8/132816096/169d3fede62b4.pdf
- http://files.uccstj.com/uploads/1/3/1/4/131407067/780f265538135a.pdf
- http://files.collincountyhistorymuseum.org/uploads/1/3/0/9/130969967/sadibugobuveki.pdf
- https://cdn.shopify.com/s/files/1/0430/8362/8697/files/zipobonusisejiba.pdf
- https://cdn.shopify.com/s/files/1/0429/2981/5705/files/40413183444.pdf
- https://cdn.shopify.com/s/files/1/0434/2421/9293/files/pejaf.pdf
- https://cdn.shopify.com/s/files/1/0428/8158/1209/files/24225842645.pdf
- https://cdn.shopify.com/s/files/1/0435/2291/6520/files/jipolapokawenatapo.pdf
- https://cdn.shopify.com/s/files/1/0427/8052/4710/files/gosomevomodazubinarefajiz.pdf
- https://cdn.shopify.com/s/files/1/0427/4746/1788/files/xobagisirurozorume.pdf
- https://cdn.shopify.com/s/files/1/0430/0151/2090/files/97706931878.pdf
- https://cdn.shopify.com/s/files/1/0429/0979/4463/files/nakosiva.pdf
- https://cdn.shopify.com/s/files/1/0435/9153/2699/files/74941060860.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001ab6f.binaa4f57a046aa611f5ff8ceb929f4c1b4f20ced8a06415aa462f08c15d6a2008a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1AB6F | 4808 bytes |
font_01_sfnt_off0001bbc9.bin24caae11ac720d7e69c94a27363924602e577ab93d4e7409af7f5d887833c192 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1BBC9 | 28092 bytes |
font_02_sfnt_off0001feb3.binb2ddecaff7e2361bf51021b35f9c014659943b600c4f466cb4656cea9e83b80e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1FEB3 | 16088 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.