MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded links, with the primary malicious redirector being https://ttraff.ru/wb?keyword=glomus%20mosseae%20pdf. This indicates a link farm or SEO poisoning attack designed to lure users to malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=glomus%20mosseae%20pdf
- https://cdn.shopify.com/s/files/1/0428/7247/1718/files/basic_laws_of_electronics_engineering.pdf
- https://cdn.shopify.com/s/files/1/0458/5976/6425/files/design_background_powerpoint_2007_free.pdf
- https://cdn.shopify.com/s/files/1/0429/2050/9596/files/fallout_4_mod_load_order.pdf
- https://cdn.shopify.com/s/files/1/0429/2860/3295/files/firered_rare_candy_cheat.pdf
- https://cdn.shopify.com/s/files/1/0431/4536/3610/files/jitulekoruw.pdf
- https://cdn.shopify.com/s/files/1/0436/1161/9491/files/gufosejuzenuji.pdf
- https://cdn.shopify.com/s/files/1/0433/0048/7332/files/pdf_to_word_converter_free_version.pdf
- https://static.usrfiles.com/ugd/510a18_b318db3d75114229a8d0c145d6773b7d.pdf
- https://static.usrfiles.com/ugd/05301a_cbbd2ed2609e4bd0a189fe4a67189b19.pdf
- https://static.usrfiles.com/ugd/510a18_06e45db429d94aec9083acdab3e8425d.pdf
- https://static.usrfiles.com/ugd/afe78f_f8f2a31aa88f40e6938a9b46e384e4f9.pdf
- https://static.usrfiles.com/ugd/270e53_6f5d8059134145bea82e85bb8ed9912c.pdf
- https://static.usrfiles.com/ugd/3aca14_1bea5734e3074b31b868e3e34e09994f.pdf
- https://static.usrfiles.com/ugd/a4e402_fbae20831b0a42fdb1e7d11cb14f3d88.pdf
- https://static.usrfiles.com/ugd/dcf311_181facd9d37c43fb892de5d84d0a360f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb33.bin500be23c916ff7c31fe58167fa1a898b0711283e3b06c4f207ff777b29c41acc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB33 | 5120 bytes |
font_01_sfnt_off0000fc94.bin9767f3791df470d29fec40f3341f4faec78df61708ba4b1544506ff18f9089cb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC94 | 13808 bytes |
font_02_sfnt_off0001289f.bin6d9ddf713b130202d60aac7c25d91f483ff7b867a7fd07e642abbb74800ff7d3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1289F | 16228 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.