MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wb?keyword=kawasaki%20vulcan%20500%20bobber%20kit'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one to 'https://cdn.shopify.com/s/files/1/0435/1583/8618/files/11919190626.pdf'. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, appears to contain the redirector URL, suggesting a lure to a malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=kawasaki%20vulcan%20500%20bobber%20kit
- http://files.ds-tuinwerken.com/uploads/1/3/1/4/131411281/27d7b23baf1e0.pdf
- http://figuperi.victoryhrc.org/uploads/1/3/0/7/130739309/9150040fbe57.pdf
- https://cdn.shopify.com/s/files/1/0435/1583/8618/files/11919190626.pdf
- https://cdn.shopify.com/s/files/1/0441/0834/9592/files/gepimazumoxa.pdf
- https://cdn.shopify.com/s/files/1/0432/4337/2699/files/18162847801.pdf
- https://cdn.shopify.com/s/files/1/0435/8209/5517/files/vogema.pdf
- https://cdn.shopify.com/s/files/1/0429/8581/6218/files/heartbeat_buddy_holly_sheet_music.pdf
- https://static.usrfiles.com/ugd/5d2cf3_d9a25fbc014c4153be2ed785aa1626b8.pdf
- https://static.usrfiles.com/ugd/35ddae_43283065800a448a9b4829d4720e2080.pdf
- https://static.usrfiles.com/ugd/b8c837_889d4b88bee9423abddabc7b51e033ab.pdf
- https://static.usrfiles.com/ugd/bca722_8d331cf02bd74dab8972e3f32b2d8a85.pdf
- https://static.usrfiles.com/ugd/4b7290_7ab76e43a1f74686a0f1b230c9160f3b.pdf
- https://static.usrfiles.com/ugd/b5973a_9ccdd8e95ba34dcb9551ca2fcff1d4af.pdf
- https://static.usrfiles.com/ugd/73c254_3e19dd6711be4fe79ab01640ec7e4f47.pdf
- https://static.usrfiles.com/ugd/74e905_e37233f5110c4d64b53640d6f43731cc.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off000075ce.bin13455c5dd0a4914d6d75b49cd5c132e720df436d2de3f4f4bf586cdf70ce2f7c |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x75CE | 10268 bytes |
font_00_sfnt_off0000635b.binc1ef7d67130f31e8898b461964a7816494dcf632b588816889aa7b3e26c07ede |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x635B | 5384 bytes |
font_02_sfnt_off00009279.binac8464b081005a3e8052ac47a4a6e5a72d132b6e8f066fe30a88c3371ef5e973 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9279 | 10624 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.