MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic match for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. Additionally, it exhibits characteristics of a PDF_SEO_LINK_FARM, suggesting it's part of a larger scheme to distribute malicious links. The embedded URL https://ttraff.cc/wix?keyword=trim+a+slab+vs+slab+gasket is identified as a malicious redirector. The document body, though heavily obfuscated, contains this URL, reinforcing the attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=trim+a+slab+vs+slab+gasket
- https://cdn.shopify.com/s/files/1/0438/1288/0544/files/idautomation_php_barcode_generator_script_free.pdf
- https://cdn.shopify.com/s/files/1/0431/4696/9237/files/98484647174.pdf
- https://cdn.shopify.com/s/files/1/0486/3528/1566/files/70570300917.pdf
- https://cdn.shopify.com/s/files/1/0428/0942/6079/files/40463329754.pdf
- https://cdn.shopify.com/s/files/1/0465/4333/9678/files/twilight_forest_portal_guide.pdf
- https://2347d01f-a141-4318-93f1-c4426636b895.filesusr.com/ugd/d2759c_e9daea5e7ef942e88b4c757bbae49e22.pdf?index=true
- https://9bfe6f1b-2ec8-47b3-b3f4-99edde1d6da2.filesusr.com/ugd/73f3b0_61937025e2d54eff8c87ae11555b56d2.pdf?index=true
- https://8d404370-561f-40e7-af1d-493a616845bc.filesusr.com/ugd/ba3095_5bd3772ce9c6489fb3ea4d1ef528c55d.pdf?index=true
- https://ead4847c-fb5b-4b92-b3ec-84dd482e26d1.filesusr.com/ugd/65d6f7_7275a0ff88764eea9ce35983271eb9f1.pdf?index=true
- https://672ccff1-ae26-4b1b-9ae5-5ad3d69747af.filesusr.com/ugd/a86d68_92632185f20e4f5ab7112b960696007e.pdf?index=true
- https://da0a638c-29a4-4bce-b026-9db85760da94.filesusr.com/ugd/e3ff21_b80b2822c86344bd9900ba04668b4c5f.pdf?index=true
- https://71d70a2c-d634-4a26-ac6d-70186d34c005.filesusr.com/ugd/9ea91e_672edc4ca2c84f419fe65ab2591f902a.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/6329/5650/files/fejimen.pdf
- https://cdn.shopify.com/s/files/1/0430/7432/2586/files/maruxefaxej.pdf
- https://cdn.shopify.com/s/files/1/0463/2566/1853/files/34848764831.pdf
- https://cdn.shopify.com/s/files/1/0438/4302/7106/files/compressing_mac.pdf
- https://cdn.shopify.com/s/files/1/0437/0166/5960/files/bootstrap_w3schools.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010a90.bin72fe27f74c356f137277e631ada5895d0328b9d022dfa758e4dbf1e264919ea3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A90 | 5216 bytes |
font_01_sfnt_off00011c40.binf79e25c1d0250a71f0bb153cd6ac5d0d1587062b6787bd4481b83808116fe75e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11C40 | 10872 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.