MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=descarga+musica+tercer+cielo+yo+te+e'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to other PDFs, including one hosted on 'cdn.shopify.com'. The document body, though heavily obfuscated, contains fragments suggesting a lure related to music downloads. The ML classifier strongly flags this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=descarga+musica+tercer+cielo+yo+te+e
- https://cdn.shopify.com/s/files/1/0437/4547/6757/files/bizhub_c368_parts_manual.pdf
- https://cdn.shopify.com/s/files/1/0447/3012/2393/files/mopaku.pdf
- https://cdn.shopify.com/s/files/1/0432/6152/6166/files/characterization_worksheet_3.pdf
- https://cdn.shopify.com/s/files/1/0429/2784/9639/files/tasawuf_imam_ghazali.pdf
- https://static.usrfiles.com/ugd/b8c837_752b1aaa1f574dcb93a3fbfb7c4d109f.pdf
- https://static.usrfiles.com/ugd/b8c837_9a36e93acd664a8b90e6c3864820f749.pdf
- https://static.usrfiles.com/ugd/b8c837_a917695fcc12412e834d052dc22b206c.pdf
- https://static.usrfiles.com/ugd/b8c837_ee156484cb8940ff8acfb0f0c7cf1a97.pdf
- https://cdn.shopify.com/s/files/1/0432/4392/9757/files/vageno.pdf
- https://cdn.shopify.com/s/files/1/0436/1669/8526/files/33218946164.pdf
- https://cdn.shopify.com/s/files/1/0431/5276/9192/files/torrentsnack_password_red_dead_redem.pdf
- https://cdn.shopify.com/s/files/1/0432/2702/1480/files/69233647411.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gozoba.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005318.bin2474742c25ce4ae7167b3eabbc6b70977b64953ff62370cf49037832d8844adc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5318 | 4996 bytes |
font_01_sfnt_off00006419.bin1b46d5bc4fdbf0d6fe8c63cd43ee594182eadc69f4e4c2f28049411ad73c8202 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6419 | 1792 bytes |
font_02_sfnt_off00006cf2.bin7da49b9ce1092d68c1ed3a879c66b6f030d5abd3a8f711dd17deb6603217de55 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CF2 | 11392 bytes |
font_03_sfnt_off000091d3.bincf96631f784379724622ae63351c9d35a5a19c08ac2d66cb149eb318896b45b9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x91D3 | 16416 bytes |
font_04_sfnt_off0000a7c5.bin4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA7C5 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.