MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a medical guideline. This indicates a phishing attempt to redirect the user to a malicious site. The ML classifier strongly supports the malicious verdict. No scripts were extracted, but the embedded URL is sufficient evidence for the attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=pituitary+apoplexy+guideline+2015
- https://static.usrfiles.com/ugd/165585_4c3931afc64f411591f99ebc41d945b9.pdf
- https://static.usrfiles.com/ugd/b8c837_83a6177815bb45f1bf535570ea7ac4f8.pdf
- https://static.usrfiles.com/ugd/963627_c88c94856f2745fe8ce6950361d270b8.pdf
- https://static.usrfiles.com/ugd/d01287_2853b23dd70a434eb47d0151fc78c8ab.pdf
- https://static.usrfiles.com/ugd/97493d_eb60e372b4df44bf9849637016d4cba7.pdf
- https://static.usrfiles.com/ugd/003b86_9343c8fe5a0c4e90a4f02986b8207a55.pdf
- https://cdn.shopify.com/s/files/1/0436/2246/5699/files/morudutop.pdf
- https://cdn.shopify.com/s/files/1/0439/7993/1806/files/journal_of_atmospheric_and_solar_terrestrial_physics.pdf
- https://cdn.shopify.com/s/files/1/0434/0583/6438/files/42727216590.pdf
- https://cdn.shopify.com/s/files/1/0437/1464/2069/files/bexuxevanabuvinopuka.pdf
- https://cdn.shopify.com/s/files/1/0428/2561/3475/files/37544460496.pdf
- https://cdn.shopify.com/s/files/1/0432/2865/9870/files/zutatigixebonazofumave.pdf
- https://cdn.shopify.com/s/files/1/0433/4796/8149/files/chemistry_notes_form_1_to_4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001537d.bin924a4d826a3dc6777d49d73a7cfe8323ed2729c49d455d76484807916e28349e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1537D | 5572 bytes |
font_01_sfnt_off0001669c.bin7a6047383b1242407bd30e11d8b4974346b2c93492113fc24bd65d7e30ef85e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1669C | 14372 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.