MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=bed+sheets+walmart+twin'. The document body, though heavily obfuscated, contains this URL and appears to be a lure related to product searches. The ML classifier also strongly indicated maliciousness. The PDF also contains a mass external link farm, suggesting a spam or SEO poisoning campaign.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=bed+sheets+walmart+twin
- https://static.usrfiles.com/ugd/eaf48f_c65480855d644eca9b61381ec77cb53a.pdf
- https://static.usrfiles.com/ugd/0df15e_9012e789d34240a49cbb1187ee298a65.pdf
- https://static.usrfiles.com/ugd/a382ee_c3e29fb78f6e4b24b0e1140e18292524.pdf
- https://static.usrfiles.com/ugd/b8c837_4f30ef273b844e8db05031206df031d2.pdf
- https://static.usrfiles.com/ugd/b8c837_905df093d5004ff2890dfef871bb503e.pdf
- https://cdn.shopify.com/s/files/1/0429/1667/5740/files/92205697312.pdf
- https://cdn.shopify.com/s/files/1/0429/4030/1478/files/kobubovuregovibedawatexuz.pdf
- https://cdn.shopify.com/s/files/1/0432/0926/1217/files/the_blast_furnace.pdf
- https://cdn.shopify.com/s/files/1/0431/3448/4648/files/40977509520.pdf
- https://cdn.shopify.com/s/files/1/0434/7533/7368/files/43673969049.pdf
- https://static.usrfiles.com/ugd/b8c837_91f77b957d3846caad2053f2accffe7b.pdf
- https://static.usrfiles.com/ugd/4d935e_ffba2123c6234f30a114bb7965fe78d0.pdf
- https://static.usrfiles.com/ugd/7198c1_734b7a7f7eab4f8d99dc90082421b0ca.pdf
- https://static.usrfiles.com/ugd/f84671_1a94766feb5a45409fe3b750e35fd60a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000074be.binf6509440b2280cf97f4ea90624cd0c5ff88401cab7ca8ee3c0ebc5f0d1b8aeee |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x74BE | 5208 bytes |
font_01_sfnt_off00008658.bin5114da977f9953d531ee30eae37409e7813525acc29e89ac5fbe01682058a1fa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8658 | 10424 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.