MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=blitzcrank+build+support'. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the embedded URL is the primary indicator of malicious intent, likely serving as a lure for further compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.9938
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=blitzcrank+build+support
- http://files.tonyarepslove.com/uploads/1/3/1/8/131856456/1551648.pdf
- http://files.jjtothethirdpower.com/uploads/1/3/1/4/131482916/7a5a99.pdf
- http://files.baileyjackartstudio.com/uploads/1/3/2/3/132303150/2994829.pdf
- http://files.brice-williams.com/uploads/1/3/0/7/130739742/bidama-gulebakit-gagemu-wogamosuriso.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/66916333827.pdf
- https://cdn.shopify.com/s/files/1/0431/6934/9794/files/19699505449.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zutowujovepenatugipo.pdf
- https://cdn.shopify.com/s/files/1/0433/8827/2807/files/nawapogujefebotux.pdf
- https://cdn.shopify.com/s/files/1/0434/6744/0294/files/leverage_full_episodes.pdf
- https://cdn.shopify.com/s/files/1/0434/3506/5510/files/75816809757.pdf
- https://cdn.shopify.com/s/files/1/0429/4914/8828/files/53154713602.pdf
- https://cdn.shopify.com/s/files/1/0435/8098/1403/files/free_receipt_maker.pdf
- https://cdn.shopify.com/s/files/1/0434/3290/2806/files/zarivitezezarufeze.pdf
- https://cdn.shopify.com/s/files/1/0432/1656/8482/files/gulebizezi.pdf
- https://cdn.shopify.com/s/files/1/0437/2240/8087/files/random_number_between_100-_999.pdf
- https://cdn.shopify.com/s/files/1/0431/4071/0566/files/42843157122.pdf
- https://cdn.shopify.com/s/files/1/0432/2109/0471/files/konofedivumasatapus.pdf
- https://cdn.shopify.com/s/files/1/0428/5281/0911/files/gerates.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000470e9.bin437f9819ff4aea2266c43794c7371574019730e26fa7f80159412433c4c73551 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x470E9 | 5372 bytes |
font_01_sfnt_off0004833c.bin06b6f7dd42bf4cc9c59e7aa18bea271531dce10928a6da8aa112e73c471e9049 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4833C | 16644 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.