MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1200 Hardware Add-in
T1059.001 PowerShell
T1059.003 Windows Command Shell
The PDF contains numerous links, including one to a known malicious redirector (ttraff.cc). This redirector is likely used to obscure the final destination and potentially deliver a malicious payload. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to increase visibility and lure victims. The ML classifier strongly indicates maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wb?keyword=classification%20of%20living%20things%20quiz%20pdf
- http://files.prmueller.co.uk/uploads/1/3/0/7/130739835/kiduzabamarite.pdf
- http://files.mothersforothers.org/uploads/1/3/1/0/131071067/9f748ceb5fa0db.pdf
- http://files.ahlivintage.com/uploads/1/3/1/4/131406403/3233322.pdf
- http://files.stlukeshhi.org/uploads/1/3/0/7/130739052/3d14d6f.pdf
- https://cdn.shopify.com/s/files/1/0429/6117/4684/files/fegeliditeti.pdf
- https://cdn.shopify.com/s/files/1/0432/9055/8622/files/73684088913.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/2033782386.pdf
- https://lufafoga.files.wordpress.com/2020/07/66387547660.pdf
- https://molejupo.files.wordpress.com/2020/06/65444392783.pdf
- https://jowoxub.files.wordpress.com/2020/07/mofafok.pdf
- https://cdn.shopify.com/s/files/1/0431/5850/3573/files/99252691385.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/satofekefekuwozavobijogut.pdf
- https://cdn.shopify.com/s/files/1/0429/1022/0447/files/tewobakilixozelirifo.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zudofujavulasosajawigubi.pdf
- https://cdn.shopify.com/s/files/1/0431/5670/1346/files/bevonilodo.pdf
- https://cdn.shopify.com/s/files/1/0428/5458/0391/files/xesalu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/fixasitisajixumazurezeve.pdf
- https://cdn.shopify.com/s/files/1/0431/9045/2385/files/bozokoponezonufasanaze.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000064ca.bin7b2755640126d8f4e93b56eddab009d5ecfe9ec6790811528f3822d25847ca65 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64CA | 5344 bytes |
font_01_sfnt_off000076f4.bin4ed4f998d96972b167a2a3720b88eebcfc3fee5d9c9129ee1177ac2693d67924 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76F4 | 10216 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.