MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. The document body, though heavily obfuscated, also contains this URL and another Shopify URL, suggesting a link farm or lure. The ML classifier strongly indicates maliciousness. The primary attack pattern involves tricking the user into clicking a malicious link, which is likely intended to lead to credential harvesting or further malware deployment.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=journey+2050+worksheet
- http://kisus.total-recovery.co.uk/uploads/1/3/2/7/132710575/aaea3c94.pdf
- http://files.yhwhourrighteousnesschicago.net/uploads/1/3/1/8/131856545/3372068.pdf
- https://cdn.shopify.com/s/files/1/0437/1713/2442/files/lonely_planet_russia_free.pdf
- https://cdn.shopify.com/s/files/1/0429/0985/9999/files/soxijumipibasiwepa.pdf
- https://cdn.shopify.com/s/files/1/0432/7571/4715/files/free_games_harvest_honors.pdf
- https://cdn.shopify.com/s/files/1/0433/4849/2438/files/42873768574.pdf
- https://cdn.shopify.com/s/files/1/0433/4993/4231/files/commercial_broker_fee_agreement.pdf
- https://cdn.shopify.com/s/files/1/0431/5466/9729/files/suvibowiroxelonulubumef.pdf
- https://cdn.shopify.com/s/files/1/0447/6986/9975/files/wings_birdy_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0429/5360/5273/files/gupibemujumokota.pdf
- https://cdn.shopify.com/s/files/1/0433/6504/0286/files/9676034926.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/41448402009.pdf
- https://cdn.shopify.com/s/files/1/0435/6807/0824/files/79419507001.pdf
- https://cdn.shopify.com/s/files/1/0436/6699/7398/files/76633411579.pdf
- https://cdn.shopify.com/s/files/1/0434/7248/6564/files/1368222483.pdf
- https://cdn.shopify.com/s/files/1/0437/2994/4730/files/skull_base_anatomy.pdf
- https://cdn.shopify.com/s/files/1/0431/3058/5239/files/jupakogi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ab01.bind9e88fee265e0c96af17f13dd851e6a17a7d3b2481df427b8e11a883307744bd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAB01 | 5176 bytes |
font_01_sfnt_off0000bcbc.bin2cf5a8838fa523d804e782a90ac52cb4aa42d9c660fc371584247b7404380e07 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBCBC | 11072 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.