MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of embedded links, many of which point to a link farm designed for SEO manipulation. One prominent URL, https://ttraff.ru/wix?keyword=the+greatest+showman+piano+sheet+music+free+pdf, is identified as a malicious redirector. The ML classifier strongly indicates maliciousness, and the overall structure suggests a phishing or scam attempt disguised as a document.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=the+greatest+showman+piano+sheet+music+free+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static.usrfiles.com/ugd/b8c837_bad49abe751b4e6fbf4d31c8e0ebd9e1.pdf
- https://static.usrfiles.com/ugd/6cf392_0fd8cd1e55324d3e94c2e3af57358b77.pdf
- https://static.usrfiles.com/ugd/e32576_95a32f6982284f8e8021a99ca19f2de8.pdf
- https://static.usrfiles.com/ugd/b8c837_beba4432736d44e8bebca1d18845bce3.pdf
- https://static.usrfiles.com/ugd/bf650e_3a2f1d90ba7840b0bd7532a3144e01e1.pdf
- https://static.usrfiles.com/ugd/3b0c81_e19a05baa9f54ed8aafce11f2685df07.pdf
- https://static.usrfiles.com/ugd/b8c837_a538c46f3e7540e2b482ad1377d0217a.pdf
- https://static.usrfiles.com/ugd/0047a4_ad40ad5636de47d39d82068a53989240.pdf
- https://static.usrfiles.com/ugd/384ea4_237362efd5f2425fb4f1de4b4cf35ef2.pdf
- https://static.usrfiles.com/ugd/b8c837_a6ca1f5a16b04905a656077c5c3cbf9c.pdf
- https://static.usrfiles.com/ugd/b8c837_8810646556304b8db3d75e64039a340e.pdf
- https://static.usrfiles.com/ugd/f3cb45_09ac3b142a7b4e0ba16879892b9347c0.pdf
- https://static.usrfiles.com/ugd/b8c837_29d15258593e44d387c7d55473aceaf8.pdf
- https://static.usrfiles.com/ugd/fd3290_e8633af5bcf44f059fb1100eef4d01c0.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006e37.bin4fc3aaec24853f29368174f670a68e0b379e2d756eff747b9da6d9e1e8e7edf4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E37 | 5576 bytes |
font_01_sfnt_off00008123.bin5f15b8115bc195a1ce4aa33ec81cb6019896cd347e744b854a83253d7dcc8dcf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8123 | 10912 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.