MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded links, including a critical link to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.club/pify?keyword=school+supplies+vocabulary+worksheets', suggesting a lure to external content. The presence of numerous PDF links also indicates a link farm, likely for SEO manipulation or to distribute malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/pify?keyword=school+supplies+vocabulary+worksheets
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0430/1488/1433/files/berebujazilivegexuw.pdf
- https://cdn.shopify.com/s/files/1/0430/8451/3440/files/minecraft_forums_shaders.pdf
- https://cdn.shopify.com/s/files/1/0428/9993/1295/files/zabiporovuxudaverufusi.pdf
- https://static.usrfiles.com/ugd/b8c837_31ab62e2ed9c4746bce29bbd0a9a6965.pdf
- https://static.usrfiles.com/ugd/b8c837_85251ad486794e26b62a980bd3aacaf1.pdf
- https://static.usrfiles.com/ugd/374ce0_6c9e1216819a480ba0ff5f3656a108f1.pdf
- https://static.usrfiles.com/ugd/a382ee_586f551873cf455ab4553bcaea96e091.pdf
- https://static.usrfiles.com/ugd/d01287_0c0fe4ce6b9e434486dac8840cd945e1.pdf
- https://static.usrfiles.com/ugd/cb5dea_aa9935b874e64a17a646e103fd79dac5.pdf
- https://static.usrfiles.com/ugd/a64c8c_09a12f318a9a4fb8a913284b99a0876f.pdf
- https://static.usrfiles.com/ugd/1849a1_36b4169c37b644538acffda916041fcc.pdf
- https://static.usrfiles.com/ugd/4bb894_9ef5c27c270f413ea98814ee7d66a68f.pdf
- https://static.usrfiles.com/ugd/b8c837_21cc0cae5a5d426ca3d9d6962460034b.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004d71.bin41c0fe67fd46f1abf539b0e115f75b429d49c995bd565919e0b576ea5e1b3d6e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4D71 | 5584 bytes |
font_01_sfnt_off00006080.bin1ea71b92ab7eeafd4c7c9be2fbcf08a3cf430951bc9e2368c008b32fdfa4ec82 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6080 | 13480 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.