MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/wix?keyword=lost+omens+character+guide+pdf'. This URL is designed to trick users into believing they are downloading a legitimate character guide, but it redirects to malicious infrastructure. The document also contains a large number of embedded links, many of which are to benign file-hosting services, but the presence of the malicious redirector is the primary indicator of malicious intent. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=lost+omens+character+guide+pdf
- https://9da0e75c-2f74-4b5f-b8c5-e3b34ab2c5ff.filesusr.com/ugd/29c71c_acc9293c9f1940a388623215c73d53c5.pdf?index=true
- https://b645d3fb-5c5d-46c3-b9b3-7aa39d2496c2.filesusr.com/ugd/16879a_140cad59ba2f4421a1d090b43f79da59.pdf?index=true
- https://5ce505a3-176f-48fb-827d-d2e55fc7bf89.filesusr.com/ugd/0dcf4b_41061120e5bf494c9a17ac012cc5ff2d.pdf?index=true
- https://250fe42c-1612-45ba-9be7-dd131858fec8.filesusr.com/ugd/9374a7_3da56d017d704589bc4dbfc809c97abc.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/8127/7352/files/37965316660.pdf
- https://8a2219fe-9e61-430d-9999-c1f6c9fcdcd5.filesusr.com/ugd/4a2613_024f2ae1b6e34ca5a296861781568183.pdf?index=true
- https://0c35bcc6-7e6a-49c5-978b-dd4f8af2ba79.filesusr.com/ugd/599026_e1958526dda4464d846b15cf0e2cac5e.pdf?index=true
- https://191f3ede-412c-4e97-836d-bd4a484c7af8.filesusr.com/ugd/e5a943_75180bb6772e45a09f53d0534556215e.pdf?index=true
- https://69ce74f5-305c-46cf-8c92-62682ee388e0.filesusr.com/ugd/16879a_901bbbbac3e54531a9f4e96f11356b4e.pdf?index=true
- https://4c478ead-de43-4acb-bda6-18a83660c65f.filesusr.com/ugd/87ad98_137f52026ad64d3f83221bd7fd6455ed.pdf?index=true
- https://cdn.shopify.com/s/files/1/0434/7969/5517/files/certificado_medico_del_imss.pdf
- https://cdn.shopify.com/s/files/1/0486/1902/8638/files/drop_crotch_joggers_nike.pdf
- https://cdn.shopify.com/s/files/1/0427/7354/5116/files/51275661316.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007220.bin940041c490e5e290dfd4f2aa812a8d052a6e9d1d1479b275616022b441130416 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7220 | 5480 bytes |
font_01_sfnt_off0000849b.bin5d270849b71b534aa30628a0876a2d211d5940f67e400497c5c67b8d52b44b35 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x849B | 15072 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.