MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains embedded links, one of which, 'https://ttraff.club/wix?keyword=drew+and+danny+real+estate+seminars', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The presence of numerous other PDF links points to a link farm strategy, likely to obscure the malicious destination. No scripts were extracted, but the PDF structure itself facilitates the redirection.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=drew+and+danny+real+estate+seminars
- http://libebokax.nethandilin.fo/uploads/1/3/1/3/131380429/xamadoniregenonukej.pdf
- http://files.biopharm-medicine.com/uploads/1/3/1/4/131455832/giledivepawabaxa.pdf
- http://files.ranchstaff.org/uploads/1/3/2/7/132740172/6f18bdd.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0482/2856/5149/files/xojisajexonobovevurer.pdf
- https://cdn.shopify.com/s/files/1/0433/0756/5214/files/8397629316.pdf
- https://cdn.shopify.com/s/files/1/0429/1713/4502/files/kalms_and_high_blood_pressure.pdf
- https://49330480-7360-4b0f-a5fa-d69381ce65c3.filesusr.com/ugd/09c3c7_43ce2f767a084410b8a54731f9d5b7b4.pdf?index=true
- https://2ad45893-1012-4b46-a4f1-b3aabc8c94c2.filesusr.com/ugd/31593d_056d40fd92064babbcd046972ab8d7a0.pdf?index=true
- https://38ed04c2-0cee-4014-937c-22ad979fd691.filesusr.com/ugd/834936_2a7a403cef654d0bb8732932fdfd1597.pdf?index=true
- https://62652d34-7e60-4542-af89-5d0b9fc2527e.filesusr.com/ugd/5ea691_73da6793fdd44749a8d71590d18e1de7.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005c71.bine1cde53a9c28d75c06100d88a18ce289cac231eaaa8024c9013a467ee0425e2d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C71 | 5164 bytes |
font_01_sfnt_off00006e09.binf6c2d094156109e7eb218e9a198147bd9633fd53528b414f78b13d5b0322db86 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E09 | 10688 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.