MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.me, disguised as a factoring worksheet. This suggests a phishing or social engineering attack aimed at directing users to malicious content. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to Shopify-hosted PDFs. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=synthetic+division+factoring+worksheet
- https://static.usrfiles.com/ugd/0c268c_af82f7a11d5342bda8a0f4c17d34d020.pdf
- https://static.usrfiles.com/ugd/027f51_5aba0b8f450f48b6a1191b40c103af68.pdf
- https://static.usrfiles.com/ugd/b8c837_71122891b4c64d9488dcbdef0f8eca2c.pdf
- https://static.usrfiles.com/ugd/b8c837_07678323f78b4d569390d06684eff081.pdf
- https://cdn.shopify.com/s/files/1/0432/8135/0820/files/sebeludurema.pdf
- https://cdn.shopify.com/s/files/1/0430/6989/8909/files/84432456760.pdf
- https://cdn.shopify.com/s/files/1/0431/9445/0082/files/complete_guitar_guide.pdf
- https://cdn.shopify.com/s/files/1/0435/8592/9375/files/nunulegewatumosi.pdf
- https://cdn.shopify.com/s/files/1/0432/8531/5744/files/storytelling_with_data_cole_nussbaumer.pdf
- https://cdn.shopify.com/s/files/1/0429/5321/2057/files/biwusanegizedoxikedowes.pdf
- https://cdn.shopify.com/s/files/1/0436/1909/0595/files/check_out_time_2pac.pdf
- https://cdn.shopify.com/s/files/1/0431/3051/9703/files/64272839013.pdf
- https://static.usrfiles.com/ugd/e3834b_31ceab1fb30b466bab6e6d9bd8618367.pdf
- https://static.usrfiles.com/ugd/6812d7_f0c97bdca985419a98ae27010f52b5ba.pdf
- https://static.usrfiles.com/ugd/756799_de9e6f6c99734468a877c2c226247bfe.pdf
- https://static.usrfiles.com/ugd/2e16aa_d32f571d736643c9aa55a3db633a7d5b.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006b5c.bine673466f2e893728e3e39554626d6238c614e2295c282bddbea9c5cda5376d05 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B5C | 5672 bytes |
font_01_sfnt_off00007eca.bin76084a13f278433a1f539906777fdb88d99756173efcbe822286db81e33b655d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7ECA | 10032 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.