MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample is a PDF document that contains a heuristic indicating it's a malicious redirector link, specifically pointing to a URL associated with advance-fee scams. The ML classifier also flagged it with high confidence. The embedded URL, 'https://ttraff.ru/wix?keyword=rio+viviente+isaac+asimov+pdf+gratis', is the primary IOC, likely serving as the entry point for the scam.
Machine Learning
- Nyx PDF Classifier malicious score 0.9936
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=rio+viviente+isaac+asimov+pdf+gratis
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_fc0a1e00c05c47cbb3a4919759a81a06.pdf
- https://static.usrfiles.com/ugd/b8c837_da74cf5d45ab41b8ba8732aa2e56ac45.pdf
- https://static.usrfiles.com/ugd/b8c837_0265392217ca4d0c9113f8cf1b3a9dd3.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/24375498268.pdf
- https://cdn.shopify.com/s/files/1/0433/7411/7015/files/58971196809.pdf
- https://cdn.shopify.com/s/files/1/0436/2023/7475/files/50370823547.pdf
- https://cdn.shopify.com/s/files/1/0432/1912/4382/files/52701054768.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/71409998288.pdf
- https://static.usrfiles.com/ugd/b8c837_1c9c9cb729df4c818de01045768e1714.pdf
- https://static.usrfiles.com/ugd/a59130_533c2c983133471594ced080ac1639ec.pdf
- https://static.usrfiles.com/ugd/b65acf_1f44d261638d4dab9d190fa81850b226.pdf
- https://static.usrfiles.com/ugd/217d68_5ae3c92488a241eab85aa5c3919dd8d0.pdf
- https://static.usrfiles.com/ugd/f96b02_dbddf1436b304f1699e43fca95364b98.pdf
- https://static.usrfiles.com/ugd/b8c837_7fea06ac913840e3b882f4a042104acb.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0005bcab.binafc8e4e1bc79aa7ee7f28c5916438838c04646490f309e11eef1784053de4452 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5BCAB | 5512 bytes |
font_01_sfnt_off0005cf62.bin9245778f10d0f54b10be4466d77d4fec3dac84a05e0215739321e3971a85ae5e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5CF62 | 15332 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.