MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to a 'certificate of employment hawaii' and the malicious URL itself. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, suggesting a link farm or distribution mechanism for malicious content. The ML_NYX_PDF_MALICIOUS heuristic further supports the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=certificate+of+employment+hawaii
- http://jopanoj.lilmomentcaptured.com/uploads/1/3/1/4/131453718/05c4c6327a1ee.pdf
- http://files.laisaycheese.com/uploads/1/3/0/7/130775062/8494142.pdf
- http://siwipi.maldonanddengieramblers.org/uploads/1/3/0/7/130739919/kejuva.pdf
- https://cdn.shopify.com/s/files/1/0433/4492/0734/files/fegutulodotofu.pdf
- https://cdn.shopify.com/s/files/1/0437/9358/0189/files/85910264897.pdf
- https://cdn.shopify.com/s/files/1/0438/8493/7384/files/45411951297.pdf
- https://cdn.shopify.com/s/files/1/0438/5167/7856/files/lysaght_roof_sheet_profiles.pdf
- https://41b2fdac-5aed-4d54-871f-34ec7fa81a4b.filesusr.com/ugd/ce4b7c_143f130c39aa490999ccb15ae3ce024b.pdf?index=true
- https://59070cf7-cad9-479b-945e-7b8b56d9602d.filesusr.com/ugd/dd4472_a9a0c6ccb3fd4ecd8f8a87fce7d59dde.pdf?index=true
- https://9167db35-4a00-41e2-817c-9ef0ebb37661.filesusr.com/ugd/57c819_8861f487427d47b7a6a36791a612201a.pdf?index=true
- https://15d9ef1b-58eb-4a75-98d8-ebacb1eb5471.filesusr.com/ugd/48bf55_2556a18602e74efe93b77f8353244ed4.pdf?index=true
- https://6a9fb7e4-83fc-4dd0-b1c5-98d5770bb1a3.filesusr.com/ugd/d6af85_413287f9bf574e9389473a0ee27719c8.pdf?index=true
- https://cdn.shopify.com/s/files/1/0437/9095/8749/files/37877842052.pdf
- https://cdn.shopify.com/s/files/1/0432/5313/7576/files/vifagu.pdf
- https://cdn.shopify.com/s/files/1/0430/0167/5939/files/jujibufu.pdf
- https://cdn.shopify.com/s/files/1/0431/6086/2874/files/xasewafawififolowofoja.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/buxidumex.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/042
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006334.bind41b6bbe795ecc8f6c144c6704b59db2e4131d8ec9f4da51d5feec496ca62580 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6334 | 5176 bytes |
font_01_sfnt_off000074b7.binbc2d8922335711e8595a0a8b99da544681bd67b43476ce143f633b836a4b00dc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x74B7 | 9820 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.