MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded links, with one prominently pointing to a known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=energy+medicine+pdf'. The document body, though heavily obfuscated, contains text fragments that suggest a lure related to 'energy medicine'. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm strategy. The ML classifier strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=energy+medicine+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0479/0930/6532/files/fatokedoxiwix.pdf
- https://cdn.shopify.com/s/files/1/0436/0732/6882/files/55880349058.pdf
- https://cdn.shopify.com/s/files/1/0429/4970/5881/files/26387653010.pdf
- https://cdn.shopify.com/s/files/1/0429/6785/9359/files/bollywood_all_full_hd_mkv_movie.pdf
- https://d4905d36-6eaa-4f61-bbdf-c77690b1bfed.filesusr.com/ugd/724bd4_120a99af2fd24d518d93f3a4b8c67c6f.pdf?index=true
- https://ad3ef77e-4325-4a20-b247-80647c1725f2.filesusr.com/ugd/6df952_4e46f2dbb66c4932bc3bca09de98f4b8.pdf?index=true
- https://07b15895-a83e-4d8e-848a-89d0fff967e8.filesusr.com/ugd/96a426_c4d1bf24fd1b4b989c76ea4ba5bd13f9.pdf?index=true
- https://bd4b45a8-c18c-4fa1-8e83-c15bd994fdfc.filesusr.com/ugd/29c71c_6e0fc4c2b326444c89a5d65509c62855.pdf?index=true
- https://efe4f7c9-c973-492a-866f-917476020624.filesusr.com/ugd/31593d_b6709409d6e546e59e5092ec3b4e183a.pdf?index=true
- https://55015c23-8ac5-48c2-be35-a081191098f1.filesusr.com/ugd/8a05ec_9e2a820394f04194916f571515f006a4.pdf?index=true
- https://cdn.shopify.com/s/files/1/0428/3888/4519/files/eylf_planning_cycle_template.pdf
- https://cdn.shopify.com/s/files/1/0434/3863/7208/files/geputemamuxetubegabe.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00014cac.bine445ad4c3003f0fa673cf516fa0fdbbd3884c6b9b7de8ea0b3b8b74f303ca6a7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14CAC | 5116 bytes |
font_01_sfnt_off00015e0f.bin4bce5da77d4b9f5bc50ae9d05d4d23994f9f92d77f24760ca6cc31a171a5a477 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15E0F | 10688 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.