MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=wiseguy+book+waterstones'. This URL is likely used to lure users into a phishing or malware download site. The document body, though heavily obfuscated, also contains this URL, reinforcing its role in the attack. The presence of a large number of external PDF links further suggests a link farm or SEO poisoning tactic to distribute the malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=wiseguy+book+waterstones
- https://static.usrfiles.com/ugd/7f46b5_7efe883bf65a4f42a2174b27afa1e891.pdf
- https://static.usrfiles.com/ugd/2ac701_94385891c6034738a650ba3e5cb946cc.pdf
- https://static.usrfiles.com/ugd/2c8d66_fb7c95a39f174650841247badfaa72ac.pdf
- https://static.usrfiles.com/ugd/bd5c68_c5b51251fff54d64897bdd5c2349f918.pdf
- https://static.usrfiles.com/ugd/b8c837_9ddd038498814c82b60a22be57d7bd59.pdf
- https://cdn.shopify.com/s/files/1/0437/6500/6494/files/szsinocam_manual_download.pdf
- https://cdn.shopify.com/s/files/1/0433/3699/0885/files/bootstrap_material_datepicker.pdf
- https://cdn.shopify.com/s/files/1/0433/0445/2246/files/80846237383.pdf
- https://static.usrfiles.com/ugd/b8c837_0f4d587ac53d4842a8a9de53f98e2172.pdf
- https://static.usrfiles.com/ugd/73cb9e_ba560761d81640798a487db390a2017f.pdf
- https://static.usrfiles.com/ugd/865d50_6d170dd7d4c740aab0eba4ee94f9a76d.pdf
- https://static.usrfiles.com/ugd/93c935_bd95426f891940c9a42516fb626d52be.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005e29.bin9210d30c1b4a5dbd6f1a03b424f167d7557e9ebc94082476d3e25303795404a7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5E29 | 5232 bytes |
font_01_sfnt_off00007027.bin3aff32a9782dae5561f7c75d043897ba2c78cc0cb22e0e90a124603d5fb43532 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7027 | 10060 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.