MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=bcbs+al+provider+manual+2018'. This URL is designed to lure users to malicious infrastructure. The document also contains a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO poisoning tactic to improve search engine visibility for malicious content. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=bcbs+al+provider+manual+2018
- http://files.saylorflett.com/uploads/1/3/0/7/130740462/6180337.pdf
- https://cdn.shopify.com/s/files/1/0433/0278/1083/files/8610900629.pdf
- https://cdn.shopify.com/s/files/1/0433/0923/6374/files/31129793981.pdf
- https://cdn.shopify.com/s/files/1/0432/5087/6578/files/english_arabic_medical_dictionary.pdf
- https://cdn.shopify.com/s/files/1/0434/7422/3269/files/dogoxupenelupuxidibaviwa.pdf
- https://cdn.shopify.com/s/files/1/0431/0279/7986/files/14941191655.pdf
- https://cdn.shopify.com/s/files/1/0428/2223/8374/files/2003_ford_taurus_repair_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/7829/5450/files/lukikupemif.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vabagibad.pdf
- https://cdn.shopify.com/s/files/1/0432/1184/9890/files/95558902380.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/69296453687.pdf
- https://cdn.shopify.com/s/files/1/0431/8196/5474/files/halloween_flyer_templates_free_for_word.pdf
- https://cdn.shopify.com/s/files/1/0430/9277/0977/files/91234039237.pdf
- https://cdn.shopify.com/s/files/1/0438/6547/3184/files/58337851220.pdf
- https://cdn.shopify.com/s/files/1/0432/6211/6008/files/gixifajoxemaz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_007_off000097ef.bin981178a37e99c54db337fe8ca473596aba0b5b514841865b47fb13fe181c1000 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x97EF | 17324 bytes |
font_00_sfnt_off000044c6.bin4f3ecdd2342e05d4195def02b63fffcc45e7646e473e242dfb5fcce07b9c8ed3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x44C6 | 3936 bytes |
font_01_sfnt_off000052f4.bin576d95ac4ffc8b3bd76dfe291a91150350f7d919f05b4c71dc204b52290e45d2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x52F4 | 5988 bytes |
font_02_sfnt_off00006734.bin4910d0177da9f60ecc92c13a34fae8c5c38ffafb9e4e22a3c3fd987548b79157 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6734 | 6148 bytes |
font_03_sfnt_off00007714.bin277a06c0736e52767f0743d03a3d9cd4afbfcc39b18d137e65c4105efa225202 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7714 | 9732 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.