MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.link/wix?keyword=browsec+vpn+apk+old+version', is likely used to lure users into downloading malicious software. The file also contains a large number of embedded links, many pointing to 'static.usrfiles.com', suggesting a link farm or SEO poisoning tactic to improve search engine ranking for malicious content. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=browsec+vpn+apk+old+version
- https://static.usrfiles.com/ugd/902d29_e3600203b0f144e0a7da8dbfbef7b797.pdf
- https://static.usrfiles.com/ugd/b8c837_b163dd7a12994e479ffc31d4ffef78a0.pdf
- https://static.usrfiles.com/ugd/15d534_e93aac722ba047bb8ef65fa1b2632358.pdf
- https://static.usrfiles.com/ugd/b8c837_2ecca8e6416e440db3b65cac44bffcda.pdf
- https://static.usrfiles.com/ugd/b8c837_47b202d7a54d49bcb8fff20e4828ace3.pdf
- https://cdn.shopify.com/s/files/1/0432/6224/7075/files/research_articles_in_accounting_and_finance.pdf
- https://cdn.shopify.com/s/files/1/0461/8836/3929/files/numidek.pdf
- https://cdn.shopify.com/s/files/1/0429/5370/3590/files/shrimad_bhagwat_geeta_in_bengali_free_download.pdf
- https://cdn.shopify.com/s/files/1/0433/2437/5194/files/dapidomeroxaboxewukepaj.pdf
- https://static.usrfiles.com/ugd/ee6770_7daff9e2c36447e88398d4e1b5c31cb8.pdf
- https://static.usrfiles.com/ugd/83f04e_5e731e174fe848ac8601f78c166b38a3.pdf
- https://static.usrfiles.com/ugd/b8c837_8d6d05ba13cc4be48b865d1ca7e988b5.pdf
- https://static.usrfiles.com/ugd/a18aa6_a4102fd8ac4f4211a0a1b0c190e0de34.pdf
- https://static.usrfiles.com/ugd/b8c837_a33d3cda790a4d43ba951291a5ab1ebf.pdf
- https://static.usrfiles.com/ugd/625844_c2620d14039e47ee8703555d542968d5.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004b93.bin6d56a2c2cf633dae80050f897d86a245b7ba8cb449b3a0aba11891b21289297f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B93 | 5332 bytes |
font_01_sfnt_off00005de1.bin8edb361c58fd72ebc2b848aa39e36787dba484b853ed9871d561a2054832eb94 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5DE1 | 12964 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.