MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded links that point to a known malicious redirector, ttraff.com, which is disguised as a power of attorney form. The document also features a large number of external PDF links, many of which are benign, but the primary redirector link is a critical finding. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=durable+power+of+attorney+form+arizona
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/eed56f_ed6ab39076954ecfabc7beb566f49b43.pdf
- https://static.usrfiles.com/ugd/74a852_8ece877db9e54ea4a483a2a5c07610c0.pdf
- https://static.usrfiles.com/ugd/b8c837_21712192fa9c44589b436f303ae18796.pdf
- https://static.usrfiles.com/ugd/e745be_c3ebc42114ba434aad4705adbb5ef9b7.pdf
- https://static.usrfiles.com/ugd/544c7e_5a8a8f15fd164e9ab54214d27f72d720.pdf
- https://cdn.shopify.com/s/files/1/0458/0799/2998/files/nurusowelireroj.pdf
- https://static.usrfiles.com/ugd/a467d2_d327c9628868454ab2a5ff29ebef4ad9.pdf
- https://static.usrfiles.com/ugd/91e123_422bdddef76545949a676a0f37e65afb.pdf
- https://static.usrfiles.com/ugd/b8c837_e320280654c84fb89998e5a5cb402258.pdf
- https://static.usrfiles.com/ugd/ca32a8_b0ea06248c6244b2b903160659db8489.pdf
- https://static.usrfiles.com/ugd/de3d83_22fa89d72d2f4cb6a0dd24b1b1114d2b.pdf
- https://static.usrfiles.com/ugd/ed64d2_0f437471f7844612ba99039091780a50.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005b55.binb42efbfc1e18f1f816ada457e88df19e07678a2859a8eb0ee4e36babbb40da02 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5B55 | 5252 bytes |
font_01_sfnt_off00006d3b.bin8dc93f5c5422318c7377443eeaedecb95f1ee56ca2f1a7de19d9bcf0392b00df |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D3B | 9832 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.