MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
This PDF document contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of the primary links directs the user to a known malicious redirector at ttraff.cc, disguised as a Google spreadsheet VLOOKUP example. The ML classifier strongly supports the malicious verdict, and the presence of a malicious redirector indicates a likely attempt to deliver a secondary payload or phish credentials.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=google+spreadsheet+vlookup+example
- https://static.usrfiles.com/ugd/cb4a18_bbd6b78ade4340289583488ce876752f.pdf
- https://static.usrfiles.com/ugd/0ad6c7_20ab3cef82ff43d582102a5ad15a2912.pdf
- https://static.usrfiles.com/ugd/b8c837_557042824bb64950b51f14f45456db10.pdf
- https://static.usrfiles.com/ugd/2b3f46_457274c3ed6c49188758a3863243ed60.pdf
- https://static.usrfiles.com/ugd/4c1554_92db862e56ae45e88444b6bde5139455.pdf
- https://cdn.shopify.com/s/files/1/0436/5369/3593/files/bainite_transformation.pdf
- https://cdn.shopify.com/s/files/1/0437/9328/5277/files/co___t_d___c__l__hangman_answer.pdf
- https://cdn.shopify.com/s/files/1/0435/7003/6904/files/shadow_fight_2_modded.pdf
- https://cdn.shopify.com/s/files/1/0430/7949/9940/files/20381934975.pdf
- https://cdn.shopify.com/s/files/1/0431/7511/6964/files/34125766357.pdf
- https://cdn.shopify.com/s/files/1/0434/8765/8141/files/29359479935.pdf
- https://cdn.shopify.com/s/files/1/0434/8346/3832/files/5815692297.pdf
- https://cdn.shopify.com/s/files/1/0432/0657/4240/files/postgres_read_only_user.pdf
- https://cdn.shopify.com/s/files/1/0434/4614/1093/files/leaves_of_grass_walt_whitman_poem_pd.pdf
- https://cdn.shopify.com/s/files/1/0431/0335/5034/files/wegazabemogitidobe.pdf
- https://cdn.shopify.com/s/files/1/0450/6501/1352/files/june_calendar_printable.pdf
- https://cdn.shopify.com/s/files/1/0432/0290/4222/files/ziwilobowukurevawovibure.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007b81.bin2c827f96474d4db96300f50bf7c5a8dfbafda691c6657e823b05ff560427b820 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7B81 | 5596 bytes |
font_01_sfnt_off00008e6c.bina788a68b377b4bb883eb2edaac99c604234201c08d61502de0d641371a04c7a7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8E6C | 14108 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.