MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.cc/wix?keyword=%25D9%2585%25D9%2588%25D8%25A7%25D9%2582%25D8%25B9+%25D8%25B4%25D8%25A8%25D9%258A%25D9%2587%25D8%25A9+%25D8%25A8+theync'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links to other PDFs, suggesting a coordinated effort for traffic redirection or SEO manipulation. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=%25D9%2585%25D9%2588%25D8%25A7%25D9%2582%25D8%25B9+%25D8%25B4%25D8%25A8%25D9%258A%25D9%2587%25D8%25A9+%25D8%25A8+theync
- https://cdn.shopify.com/s/files/1/0428/8082/7558/files/lizubipirijosakaxulokel.pdf
- https://cdn.shopify.com/s/files/1/0435/9618/5763/files/21918853594.pdf
- https://cdn.shopify.com/s/files/1/0433/8063/7859/files/lagu_amelina_asyik.pdf
- https://cdn.shopify.com/s/files/1/0430/4296/3613/files/92175340945.pdf
- https://cdn.shopify.com/s/files/1/0434/4758/2870/files/columns_and_beams_in_building_construction.pdf
- https://cdn.shopify.com/s/files/1/0436/3563/8425/files/wabutida.pdf
- https://static.usrfiles.com/ugd/cbe7f7_1ccbf6765e72471da658078afbddcf60.pdf
- https://static.usrfiles.com/ugd/b8c837_5f07abd4e94e4775beff56f609c3000f.pdf
- https://static.usrfiles.com/ugd/a640e9_2a9a33b745084f7fbe874d9bd64eb775.pdf
- https://cdn.shopify.com/s/files/1/0430/5495/6695/files/latex_beamer_insert.pdf
- https://cdn.shopify.com/s/files/1/0436/9619/3686/files/navy_dress_blues_regulations_enlisted.pdf
- https://cdn.shopify.com/s/files/1/0433/2965/0843/files/jawejerekuxikisaxege.pdf
- https://cdn.shopify.com/s/files/1/0460/8691/4212/files/taxonomy_affective_domain.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0000bbeb.bina7e7ac52436c262a5f5998bb1d2863b3331a784ce943113ee8b493c000f9c3b5 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBBEB | 31696 bytes |
font_00_sfnt_off00007871.binfe0a42d4d49625efca053d0062582d07095d17a40d434386db1b6090b38cf7e6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7871 | 4380 bytes |
font_01_sfnt_off00008754.bine1a709f74177341f492a3c0153aff682f77c7c748fe4ebc83a44b61043b6e53c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8754 | 17576 bytes |
font_02_sfnt_off0000a1bb.bin716deb222422c072385626b75afd96dbbf74c2fd9bb313419f5b9774fbd8a95b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA1BB | 7664 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.