MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains numerous links, including one pointing to a known malicious redirector at `ttraff.com`. The document body, though heavily obfuscated, contains the same URL and other links to PDF files hosted on Shopify, suggesting a link farm or redirection scheme. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=ibrahim+sangare+scout+report
- http://files.naheffa.com/uploads/1/3/1/4/131453316/9475297.pdf
- http://files.asheleijohnsoncounseling.com/uploads/1/3/0/8/130874634/4885750.pdf
- http://lonuwe.informationsystemdynamics.net/uploads/1/3/0/7/130739024/f95a5b830040.pdf
- http://files.followtheleda.com/uploads/1/3/1/3/131384436/dilelelurizup.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vinujavezo.pdf
- https://cdn.shopify.com/s/files/1/0433/8358/6977/files/24991130108.pdf
- https://cdn.shopify.com/s/files/1/0436/0182/1859/files/likedidowudubit.pdf
- https://cdn.shopify.com/s/files/1/0433/8502/8775/files/74053892151.pdf
- https://cdn.shopify.com/s/files/1/0438/6832/4005/files/lodevukesutefuj.pdf
- https://cdn.shopify.com/s/files/1/0436/2698/7680/files/diliwekesatojijubonamu.pdf
- https://cdn.shopify.com/s/files/1/0431/6463/1195/files/93672859118.pdf
- https://cdn.shopify.com/s/files/1/0430/5184/3737/files/53828847660.pdf
- https://cdn.shopify.com/s/files/1/0430/6213/2897/files/33054666654.pdf
- https://cdn.shopify.com/s/files/1/0436/9462/0837/files/putew.pdf
- https://cdn.shopify.com/s/files/1/0427/4959/1718/files/63632437678.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008542.bin2f53c0b338b27d8c4c34f23d8a247e13c62c19be9d9b1b8e636600e98bcd3db2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8542 | 5392 bytes |
font_01_sfnt_off00009768.bin496dee1c59167051124c81562d5de2aba1afc62732f2b2bdb24e19351bb3946e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9768 | 10576 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.