MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF document contains a link to a known malicious redirector, ttraff.club, which is likely used to funnel victims to phishing sites or malware downloads. The document also exhibits characteristics of a link farm, with numerous embedded links to other PDFs, suggesting a broader campaign. The ML classifier strongly indicated maliciousness, supporting the conclusion that this PDF is part of a malicious distribution scheme.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=read+calvin+and+hobbes+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0430/7802/5377/files/hallelujah_praise_ye_the_lord.pdf
- https://cdn.shopify.com/s/files/1/0437/2201/4870/files/wepodej.pdf
- https://cdn.shopify.com/s/files/1/0433/4003/8302/files/phenomenological_approach_qualitative_research.pdf
- https://static.usrfiles.com/ugd/66c878_b51df00271204ab0b6f5a9767309d1d3.pdf
- https://static.usrfiles.com/ugd/b8c837_356b15b450b24591b0eb03bcefb11b74.pdf
- https://static.usrfiles.com/ugd/66c878_1e1555efc4034442841db9327851ad17.pdf
- https://static.usrfiles.com/ugd/4bdc6d_6f0484c2e00549e48d8149f2ec5bea19.pdf
- https://static.usrfiles.com/ugd/fd30ac_1be19cf33c1f4948abda26ca8e2d97ed.pdf
- https://static.usrfiles.com/ugd/ceb2e8_113b7269c7714793a7b715d73a8ee9a3.pdf
- https://static.usrfiles.com/ugd/cfa91a_2e88877a48ba48ad9d8550d336bb170d.pdf
- https://static.usrfiles.com/ugd/9ec29b_08c85e7a356b43fa8e6187721b1b5f73.pdf
- https://static.usrfiles.com/ugd/963627_f4e5b8414c97457e8d1d397934ff038c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004346.binf4904fd022df7d1062657b264ac60ce4102ae338bcb9ee121359f0e17e5a6451 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4346 | 5356 bytes |
font_01_sfnt_off00005583.bin55de71e8ef5b48e3a97e7b120ea0340185881f85a27499a29e7040ff00e901e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5583 | 9296 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.