MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru', which is associated with malicious activity. Additionally, the PDF exhibits characteristics of a link farm, with numerous embedded links, many of which point to Shopify domains. The document body, though heavily obfuscated, contains the same search query as the malicious URL, suggesting a lure. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack vector appears to be a malicious redirector disguised as content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=meteor+garden+2018++dramacool
- https://cdn.shopify.com/s/files/1/0437/6874/2040/files/moxililuxijibobagofirugob.pdf
- https://cdn.shopify.com/s/files/1/0430/9801/3845/files/bangla_history_book_free_download.pdf
- https://cdn.shopify.com/s/files/1/0447/4689/9607/files/xebigamomafuzakuto.pdf
- https://cdn.shopify.com/s/files/1/0431/7007/0687/files/autocad_underlay.pdf
- https://cdn.shopify.com/s/files/1/0429/3722/1276/files/diwolilirososo.pdf
- https://cdn.shopify.com/s/files/1/0437/1428/1625/files/ezi_wire_windscreen_removal.pdf
- https://cdn.shopify.com/s/files/1/0428/9223/0823/files/the_perfect_start_for_note_reading.pdf
- https://cdn.shopify.com/s/files/1/0428/5720/1820/files/fidilemufifu.pdf
- https://cdn.shopify.com/s/files/1/0438/1592/7965/files/nasamewepigojit.pdf
- https://static.usrfiles.com/ugd/b8c837_3497fbb4d27147b6ab86ef5af480a36d.pdf
- https://static.usrfiles.com/ugd/61b8bf_ad1e0f2474204f7dbaa72c286a4f7777.pdf
- https://static.usrfiles.com/ugd/83e24f_c37e6032649743148b7c58c42e177a06.pdf
- https://static.usrfiles.com/ugd/4dd980_de0a4d1fa32b4200bf7a2fba21cb63a8.pdf
- https://static.usrfiles.com/ugd/ba3095_4c66c8b447d045e1afb300e3d32916f3.pdf
- https://static.usrfiles.com/ugd/b8c837_89cef761142c4c779db0111a0104eadd.pdf
- https://static.usrfiles.com/ugd/b8c837_a6174b4b10694f6aaf6d5218462505bf.pdf
- https://static.usrfiles.com/ugd/2b3f46_1c7e9896e51b444ea9d8092438e5b159.pdf
- https://static.usrfiles.com/ugd/7598fa_831b21f5acc645858ad8128907a95486.pdf
- https://static.usrfiles.com/ugd/5b5da7_cd9dfe02ea914eae84834f948fe320e7.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006caa.bind50b5495403714fcce8be53a72260fd87390f636c6b6cd185d81cd55fc071dd5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CAA | 5604 bytes |
font_01_sfnt_off00007fb7.bin27f2671ebbce97234779bfe356819f458a19f582fb2cee29bc479e1c16e475e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7FB7 | 10456 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.