MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The document body, though partially corrupted, contains the same redirect URL and a benign-looking PDF filename, suggesting a lure to trick users into clicking the malicious link. No scripts were extracted, but the primary attack vector appears to be social engineering via a malicious link.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=br%25C3%25BCche+addition+subtraktion+pdf
- http://files.kyeemaridge.com/uploads/1/3/1/3/131382330/2979508.pdf
- http://files.wisdomforwarriors.com/uploads/1/3/0/8/130814980/4aae0c8efeeecc8.pdf
- http://files.schec.net/uploads/1/3/1/8/131871894/6851944.pdf
- http://files.mindpractice.it/uploads/1/3/1/8/131856271/4118360.pdf
- https://cdn.shopify.com/s/files/1/0432/6935/7728/files/pilukafavewufudutup.pdf
- https://cdn.shopify.com/s/files/1/0429/6055/2085/files/43531695216.pdf
- https://cdn.shopify.com/s/files/1/0437/5887/8872/files/15011879443.pdf
- https://cdn.shopify.com/s/files/1/0437/0278/0072/files/terraria_creative_mode_mod.pdf
- https://cdn.shopify.com/s/files/1/0434/4443/7142/files/direct_tv_rebate_form_online.pdf
- https://cdn.shopify.com/s/files/1/0433/9741/5077/files/refejobukugejumasezikarip.pdf
- https://cdn.shopify.com/s/files/1/0429/6045/3785/files/povonetokizudinupafufav.pdf
- https://cdn.shopify.com/s/files/1/0428/1240/7967/files/parimizexosovudavol.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/7997453156.pdf
- https://cdn.shopify.com/s/files/1/0437/4134/7994/files/77553466236.pdf
- https://cdn.shopify.com/s/files/1/0432/0791/7729/files/contrato_administrativo_definicion.pdf
- https://cdn.shopify.com/s/files/1/0432/1063/7475/files/10307728497.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006c9d.bin7c4459ab76115f2159889b3bc017b9c9a04dd6a1e1dea3ae02963de215de5346 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6C9D | 5584 bytes |
font_01_sfnt_off00007f5a.bin5b13cc75f828d577ce658f07efeced2e9251f409a4a332ec326adf97936821ea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F5A | 11172 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.