MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a mass of external links, including a critical redirector link to 'ttraff.me'. The document body, though heavily obfuscated, contains text related to 'Justin guitar songs hotel california', likely a lure. The ML classifier strongly indicated maliciousness, and the presence of numerous links suggests a link farm or redirection strategy to deliver a payload.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=justin+guitar+songs+hotel+california
- https://2e27d5a8-5d38-4bc0-9484-08cf3fb2f24e.filesusr.com/ugd/10b11f_51b9bbf5e86d44b8a26da3a8ba0c14b5.pdf?index=true
- https://c7a97488-f4e1-43dc-b10f-c6666596aade.filesusr.com/ugd/a76634_e81c9767b2da405dbc2b92f1b0d9d06b.pdf?index=true
- https://2098a6eb-8ff3-4bea-81a2-b48c47903f5f.filesusr.com/ugd/cc03df_fe7807ca26764500bc7eb03f879fc415.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/8049/8841/files/wikojagaveguge.pdf
- https://cdn.shopify.com/s/files/1/0431/1737/9745/files/calculus_early_transcendentals_2nd_edition_solutions.pdf
- https://cdn.shopify.com/s/files/1/0433/5065/5129/files/60022040153.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/51906755497.pdf
- https://cdn.shopify.com/s/files/1/0432/4366/7616/files/waiting_for_godot_book_free_download.pdf
- https://840b30a8-129e-4aee-98a0-c6acded5d6c1.filesusr.com/ugd/e1c37d_32c0d796f948428a9b80a089f97c4108.pdf?index=true
- https://050c7a2f-20ad-4aae-bbb6-d13736228e9f.filesusr.com/ugd/1e11d0_4c3906f1e2964a0f8ce2a560e8255cdc.pdf?index=true
- https://afeab7c7-9ef1-4916-8704-07fb068cd24d.filesusr.com/ugd/277b62_a1b5a12970574035895c6b6d291c4fb2.pdf?index=true
- https://849fb7db-9129-4e28-a7a7-169c1bd7e51a.filesusr.com/ugd/d63aaf_044df01f3155437eb764e80570469f3f.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004f50.bin6b3a0f5e8ee66b40d1564403ccb36eb2959ad2e3e7f4b43f4c0960a33d1a5e1e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4F50 | 5132 bytes |
font_01_sfnt_off000060c5.bin876d3992470709526c9c4659ce317dd015bec4b92b71e71a785e25dd53945d32 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x60C5 | 13388 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.