MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, many of which point to PDF files hosted on Shopify. One of these links, however, redirects to a known malicious domain (ttraff.cc). This suggests a link farm or redirection tactic to obscure the final malicious destination. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=patofisiologi+stomatitis+aftosa+rekuren+pdf
- http://files.tanyawilliams.org/uploads/1/3/1/4/131407047/vajosexobi.pdf
- http://files.q-bos.com/uploads/1/3/2/7/132741064/zixuvukafikow_gejebexema_zurulenena.pdf
- http://zumezumo.mosaico.ch/uploads/1/3/1/3/131380213/3b4214529aa3a0.pdf
- http://files.ronnieroseband.com/uploads/1/3/0/8/130813797/a7f99.pdf
- https://cdn.shopify.com/s/files/1/0436/6221/3273/files/ptcb_practice_tests_2015.pdf
- https://cdn.shopify.com/s/files/1/0448/4068/1633/files/basic_technical_mathematics_with_calculus_10th_edition.pdf
- https://cdn.shopify.com/s/files/1/0437/3384/4119/files/38190087182.pdf
- https://cdn.shopify.com/s/files/1/0428/9495/0556/files/72265800686.pdf
- https://cdn.shopify.com/s/files/1/0431/6397/5835/files/98393636846.pdf
- https://cdn.shopify.com/s/files/1/0428/6427/9718/files/leaked_snapchat_by_location.pdf
- https://cdn.shopify.com/s/files/1/0435/3726/8900/files/74767793135.pdf
- https://cdn.shopify.com/s/files/1/0429/7441/2949/files/bomisufasatozebudumitude.pdf
- https://cdn.shopify.com/s/files/1/0431/2678/4157/files/japji_sahib_meaning_in_punjabi.pdf
- https://cdn.shopify.com/s/files/1/0431/9140/2660/files/wcf_tutorials.pdf
- https://cdn.shopify.com/s/files/1/0431/7754/1792/files/minecraft_pe_0._12._3_apk.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000051a9.bin394da4773421a061e69e10eef25deedcceb55e472a31b6b11e0585a308a6b912 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x51A9 | 5428 bytes |
font_01_sfnt_off00006411.bin4e2b4f5e58d9f51b328f1174ec89809c3b07367cfb8e7f14ffd11eab7ff5cff2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6411 | 10028 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.