MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.ru, which is likely used to distribute further malware or phishing content. The document also hosts a large number of external PDF links, suggesting a link farm or SEO poisoning attempt. No scripts were extracted, but the presence of malicious links and the ML classifier's high confidence indicate a high likelihood of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=fallen+london+professions+guide
- https://cdn.shopify.com/s/files/1/0438/1881/1552/files/viwuze.pdf
- https://cdn.shopify.com/s/files/1/0430/8277/6725/files/76051622832.pdf
- https://cdn.shopify.com/s/files/1/0428/3337/9487/files/vozeje.pdf
- https://static.usrfiles.com/ugd/4bdc6d_fce6ac47cd7c4a8fab8ee1b1230d314a.pdf
- https://static.usrfiles.com/ugd/b8c837_b18c0ffc66744c3c871f2457452c1d9d.pdf
- https://static.usrfiles.com/ugd/ad2ade_23c068088660440ea87c36a74c1117e8.pdf
- https://static.usrfiles.com/ugd/b8bbd7_2fcc96fb231b4d3cac3f5ecac9337f5e.pdf
- https://static.usrfiles.com/ugd/b8c837_dd4d65ea4f9444d2a5a347f9902067be.pdf
- https://cdn.shopify.com/s/files/1/0435/9897/1038/files/naxanopixofijuwemep.pdf
- https://cdn.shopify.com/s/files/1/0431/6325/4944/files/39591713500.pdf
- https://cdn.shopify.com/s/files/1/0437/1123/4199/files/no_bystanders_travis_scott.pdf
- https://static.usrfiles.com/ugd/78c764_7b3fdf3858704dfe9b753b198cffa23d.pdf
- https://static.usrfiles.com/ugd/d55797_4f2e1b4a42054f70bad396ad649163db.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008128.bin35e653c4a055443d941f1dfefd1b85f6e283503bdec46e808bc2f7665a89baf0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8128 | 5164 bytes |
font_01_sfnt_off000092cf.bind229cc3cc8605c5e1221ebf61cecbd1c868953b29d10e048c51871a0427b3a2f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x92CF | 10120 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.