MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com, which is used in a lure for 'VPN APK for Android'. The document also contains a PDF link farm heuristic, indicating a large number of outbound links, with the first being to a Shopify URL. The ML classifier strongly flagged this PDF as malicious. The primary intent appears to be redirecting the user to malicious infrastructure.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=vpn+apk++for+android+2.+3
- https://cdn.shopify.com/s/files/1/0432/4101/3415/files/pipubeke.pdf
- https://cdn.shopify.com/s/files/1/0432/8456/2084/files/91955863049.pdf
- https://cdn.shopify.com/s/files/1/0432/7587/8564/files/nibavirefepaxibom.pdf
- https://cdn.shopify.com/s/files/1/0435/3094/4671/files/pismo_beach_surf_report.pdf
- https://cdn.shopify.com/s/files/1/0431/4474/1024/files/the_cambridge_dictionary_of_christian_theology.pdf
- https://static.usrfiles.com/ugd/b8c837_c1206fbd2697436f99aac9899033b8ba.pdf
- https://static.usrfiles.com/ugd/83b1b3_5e9e228d4ac24dcba9c0a60784065601.pdf
- https://static.usrfiles.com/ugd/ce0e6d_f3a029c9b5204850abb35bfb16d6ee06.pdf
- https://static.usrfiles.com/ugd/b8c837_2fa5e19c3e874ab1a8b08aba72e3ba99.pdf
- https://static.usrfiles.com/ugd/b8c837_25f619fe66cf499da623bac0f75446b7.pdf
- https://static.usrfiles.com/ugd/b8c837_95d3cb5d56764b24be6e54d0e39ab094.pdf
- https://static.usrfiles.com/ugd/d55797_d8bb57478e72490bbe146f092602853f.pdf
- https://static.usrfiles.com/ugd/b8c837_7d9e9592253e44b8b58d25baa5b756a9.pdf
- https://static.usrfiles.com/ugd/b8c837_4ec54658663d40dda07b4a9180666798.pdf
- https://static.usrfiles.com/ugd/b8c837_5c1f2cc44e1941a7b05bf5c0715eae8f.pdf
- https://static.usrfiles.com/ugd/b8c837_821e933222a64af9b7de43d3807d34f3.pdf
- https://static.usrfiles.com/ugd/ce77c6_b33d459d8fc5465c8fa518c8464ded11.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off000084ff.binc2b29a41e5105a871d56063ff530889dae8f9fa893635a83090d1db050c8fd47 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x84FF | 19716 bytes |
font_00_sfnt_off00004f87.binca6a96b7132e5bf1842404fd994b44f7673fd7eeece241420caae0c909bb2703 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4F87 | 5180 bytes |
font_01_sfnt_off00006152.bine839e8e89c157c38411e04b83c6b467e4a8606e86e7d8ebcdd6a1c253f53776e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6152 | 10360 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.