MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a malicious redirector link disguised as a worksheet, designed to lure users into clicking it. The ML classifier strongly indicates maliciousness. The primary malicious IOC is the redirector URL, which likely leads to a further stage of the attack. The presence of numerous benign-looking Shopify links suggests an attempt to blend in with legitimate content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=completing+linear+tables+worksheet
- https://cdn.shopify.com/s/files/1/0433/4141/4555/files/13924654311.pdf
- https://cdn.shopify.com/s/files/1/0433/7182/3262/files/71818612048.pdf
- https://cdn.shopify.com/s/files/1/0432/2453/1101/files/chelsea_vs_newcastle_2018.pdf
- https://cdn.shopify.com/s/files/1/0483/8152/6176/files/4584935777.pdf
- https://cdn.shopify.com/s/files/1/0432/3776/9383/files/catering_menu_pricing_template.pdf
- https://cdn.shopify.com/s/files/1/0460/9064/9764/files/microsoft_pamphlet_templates.pdf
- https://cdn.shopify.com/s/files/1/0449/7837/2766/files/gunotekofuvojenefi.pdf
- https://cdn.shopify.com/s/files/1/0440/5228/3542/files/ritmo_cassinese.pdf
- https://cdn.shopify.com/s/files/1/0434/4456/8216/files/ganapati_atharvashirsha_telugu.pdf
- https://3f534e9a-b714-4346-a146-40cd5f0fe8fa.filesusr.com/ugd/0c60a0_2e128ceee8354cfb967fb84ab0a17b22.pdf?index=true
- https://8af56760-9ee7-4ab2-9814-44ec45e3b986.filesusr.com/ugd/5ea691_27fe9f74a16a4fb8ac859b9863c1f759.pdf?index=true
- https://de73b4a6-08d0-4a0d-8061-47f7ceb6bd26.filesusr.com/ugd/21e6f2_3f4febd084304702b23c61009d86689e.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/5522/6778/files/zaxepakuwopamufumebizam.pdf
- https://cdn.shopify.com/s/files/1/0427/9726/9159/files/xuvodavunimoropobilani.pdf
- https://cdn.shopify.com/s/files/1/0435/3120/6808/files/iphone_unlock_tool_10._5_free_download.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005452.bin3ff7261dbbd20ab87af255359ce45737e68bcd0afa2912389b76ec024437e759 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5452 | 5436 bytes |
font_01_sfnt_off000066ac.binede9c18cc2c57c373ca53218ab4f0688def0266371b249fc2d0dbd77f5504fef |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66AC | 9848 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.