MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded links, many pointing to Shopify domains, suggesting an attempt at SEO poisoning to drive traffic to malicious sites. One critical heuristic identified a link to a known malicious redirector at 'ttraff.ru'. The document body, though heavily obfuscated, contains text related to academic papers, reinforcing the lure. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=causes%20of%20migration%20in%20africa%20pdf
- http://files.evanchambers.net/uploads/1/3/1/6/131606035/refezirex_nerimoxef_radiwuvo.pdf
- http://files.uconnpremedicalsocietynewsletter.com/uploads/1/3/1/4/131437247/4518692.pdf
- http://files.harderide.com/uploads/1/3/1/3/131397964/biwadirowiwu-tigil-zatobe-fuzenasagi.pdf
- https://cdn.shopify.com/s/files/1/0434/4859/8678/files/fipofusokusutodakiz.pdf
- https://cdn.shopify.com/s/files/1/0431/4172/6370/files/86336926471.pdf
- https://cdn.shopify.com/s/files/1/0433/4505/1797/files/90280670494.pdf
- https://cdn.shopify.com/s/files/1/0431/2491/6388/files/30317111076.pdf
- https://cdn.shopify.com/s/files/1/0438/6009/9222/files/xusovonopexenivakikofuni.pdf
- https://rufumeridap.files.wordpress.com/2020/06/1791722409.pdf
- https://gerenulim.files.wordpress.com/2020/07/robivogilisoboganoxumabe.pdf
- https://volutabeni.files.wordpress.com/2020/06/22087463124.pdf
- https://jifumulunubi.files.wordpress.com/2020/06/ludijetesiwez.pdf
- https://kukokukaxu994053571.files.wordpress.com/2020/07/96605558211.pdf
- https://cdn.shopify.com/s/files/1/0433/8476/6620/files/nujesidabulaxojaje.pdf
- https://cdn.shopify.com/s/files/1/0431/3006/0955/files/4658476069.pdf
- https://cdn.shopify.com/s/files/1/0430/3863/8241/files/66279384700.pdf
- https://cdn.shopify.com/s/files/1/0435/6797/2513/files/purolipob.pdf
- https://cdn.shopify.com/s/files/1/0432/8236/6629/files/fujotorenoporo.pdf
- https://cdn.shopify.com/s/files/1/0432/0424/7715/files/zuxujenolu.pdf
- https://cdn.shopify.com/s/files/1/0429/6517/2387/files/tereborekamam.pdf
- https://cdn.shopify.com/s/files/1/0438/9086/8379/files/peribegadeled.pdf
- https://cdn.shopify.com/s/files/1/0433/5039/2984/files/zupifedok.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c4a6.binfdfec750e3cd1cfd5e3001a1f54b113f0f4805ce1bcd2d8815171a259119822e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC4A6 | 5348 bytes |
font_01_sfnt_off0000d6c1.binb265a0d5f15ad804fc65bd4b4b4d4cb3f22cb4ba5ae3a8fedc74ab2c48a5f1c7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD6C1 | 10112 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.