MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wix?keyword=tablas+de+capacidad+calorifica'. This URL is likely used to redirect the user to a malicious site. The document body, though heavily obfuscated, contains the same URL, reinforcing its malicious intent. The presence of numerous embedded links also suggests a link farm or SEO poisoning tactic.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=tablas+de+capacidad+calorifica
- https://static.usrfiles.com/ugd/f0f215_d1970be1514a4903beaa50387aa32d82.pdf
- https://static.usrfiles.com/ugd/b8c837_a1e595c142fe4d1aa22bfba95c315d95.pdf
- https://static.usrfiles.com/ugd/b8c837_c046e6c9db3f4ae79f7e44e1e978235e.pdf
- https://static.usrfiles.com/ugd/8b9728_27fa9479d1c34991b24889a2cc2854e4.pdf
- https://static.usrfiles.com/ugd/b8c837_5115728ce64343c68e1683551c93fbcf.pdf
- https://cdn.shopify.com/s/files/1/0440/4704/0662/files/96226145613.pdf
- https://cdn.shopify.com/s/files/1/0463/4551/9261/files/soldier_fleurie_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0440/6870/0310/files/18729663197.pdf
- https://cdn.shopify.com/s/files/1/0428/5572/7260/files/33252011575.pdf
- https://cdn.shopify.com/s/files/1/0437/0271/4533/files/4299691614.pdf
- https://cdn.shopify.com/s/files/1/0430/0508/3811/files/76098770861.pdf
- https://cdn.shopify.com/s/files/1/0460/6518/9019/files/pokemon_snakewood_gameshark_codes.pdf
- https://cdn.shopify.com/s/files/1/0430/9359/0167/files/66440778538.pdf
- https://cdn.shopify.com/s/files/1/0431/2698/0765/files/arrow_alt_code.pdf
- https://cdn.shopify.com/s/files/1/0441/0189/4296/files/technical_drawing_basics.pdf
- https://cdn.shopify.com/s/files/1/0429/9161/6153/files/nosomepijas.pdf
- https://cdn.shopify.com/s/files/1/0464/2819/2920/files/nist_sp_800-53_rev_5_excel.pdf
- https://cdn.shopify.com/s/files/1/0437/4390/3905/files/casper_apk_2018.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009da8.bin35aff00b035449bd2ce1082b4ed2c7b7da227ee13fb0cefb42a12e216f29601d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9DA8 | 5236 bytes |
font_01_sfnt_off0000af7a.bin11398fca480c57c9d706c8cd4017a33b8869f95ffc94f8759b4ed142fb9ecb53 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAF7A | 17208 bytes |
font_02_sfnt_off0000e3e8.bin92e9eef5bab5402cd28dd78cc952917dc1e917ec0366d544209aa8acab859a07 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE3E8 | 16108 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.