MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a link to a known malicious redirector, ttraff.cc, which is likely intended to lead the user to a malicious site. The document also contains a large number of links to external PDFs, many of which appear to be generated for SEO purposes, suggesting a link farm or spamming operation. The ML classifier strongly indicates maliciousness, and the presence of a redirector URL points to a phishing or scam attempt.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=allopathy+vs+homeopathy+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/9ff9b8_ee9f6136791d46398355190c5e87fc0d.pdf
- https://static.usrfiles.com/ugd/b8c837_f721d03694f1425494fa6545c4b64ef2.pdf
- https://static.usrfiles.com/ugd/d017d5_78b5365c0c8446bdb56ff5cc14eb7b30.pdf
- https://static.usrfiles.com/ugd/b42fd6_3a399ffdfa5146b7a35d5f947a600180.pdf
- https://static.usrfiles.com/ugd/66c878_5bc2adbf8a7643cba639412d1fab12bc.pdf
- https://cdn.shopify.com/s/files/1/0432/7872/9374/files/46617860827.pdf
- https://cdn.shopify.com/s/files/1/0431/0378/1015/files/kejojarutifimidukasaf.pdf
- https://cdn.shopify.com/s/files/1/0431/3110/9540/files/gerogoriralatisa.pdf
- https://cdn.shopify.com/s/files/1/0438/2906/7933/files/vudezegomi.pdf
- https://cdn.shopify.com/s/files/1/0435/9448/1823/files/52031461805.pdf
- https://cdn.shopify.com/s/files/1/0430/7995/8679/files/avanzabus_app_android.pdf
- https://cdn.shopify.com/s/files/1/0431/3343/6055/files/arizona_beneficiary_deed_form.pdf
- https://static.usrfiles.com/ugd/0a593f_41a6b699aa624478bf9697b79a62ba33.pdf
- https://static.usrfiles.com/ugd/db1da1_f165ec6e054f40bfa63ca7546fb5fa40.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006e54.bin2d915e54cf23bea0bbbde0d786a8b31b4740db5a1488b1def459a3f1f0317248 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E54 | 5336 bytes |
font_01_sfnt_off00008066.bin65c360cc151683eba84e87d17643b3b59337b34fff6b858aedf890e9b078d362 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8066 | 9596 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.