MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'ttraff.cc'. The document body, though heavily obfuscated, also contains this URL and numerous other PDF links, many pointing to 'static.usrfiles.com', suggesting a link farm or redirection strategy. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves luring the user to a malicious site via a deceptive link.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=pathfinder+kingmaker+companion+quest+guide
- https://static.usrfiles.com/ugd/b8c837_ea71c40b953e43ccac0318b398318834.pdf
- https://static.usrfiles.com/ugd/f523c3_f1dc4db95cc8489c82b64c10b60b5163.pdf
- https://static.usrfiles.com/ugd/d1d005_b80d0ed0700c44db92eb6eede9b2e396.pdf
- https://cdn.shopify.com/s/files/1/0439/2812/5595/files/45056838993.pdf
- https://static.usrfiles.com/ugd/b8c837_94f15a7589ab442185a06ff5ac978955.pdf
- https://static.usrfiles.com/ugd/b8c837_ed5ff982e8504dd98857a5e5da02b28d.pdf
- https://static.usrfiles.com/ugd/b914b5_39f129650fe142ee833e61d23e4aed5d.pdf
- https://static.usrfiles.com/ugd/374ce0_372e5c1f8d9841c9bd66a0951081bc82.pdf
- https://static.usrfiles.com/ugd/1f5cef_0a145dd40661457ebfaaee4b90a652cd.pdf
- https://static.usrfiles.com/ugd/f55bec_968facf75c3f4adf8f8032db7b2eb8ca.pdf
- https://static.usrfiles.com/ugd/7d21c0_2a179642ceae4a008692e9eca0008fad.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009ada.binc3b60a3237ac5c78c2aa5413aa230974fe46d0d8cb7df103e81270bf77cb7637 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9ADA | 5728 bytes |
font_01_sfnt_off0000ae24.bin06c51a878211f842088c7ba7b2026001f19162d7570817c68b7e4139658e4469 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAE24 | 10588 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.