MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many of which point to a redirector service (ttraff.cc) known for malicious activity. The document body is heavily obfuscated and contains a URL that appears to be part of a link farm designed to manipulate search engine results. The presence of numerous Shopify-hosted PDFs suggests an attempt to disguise malicious links within seemingly legitimate content. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=developing+countries+characteristics+pdf
- http://files.safeaccess4uas.com/uploads/1/3/2/6/132682106/vonobuveg_vojexiteda_tafezawixe_mosopiva.pdf
- http://files.mosssnowsticksouthpacific.com/uploads/1/3/0/8/130813855/mikimewumipi.pdf
- http://files.monashsoccerclub.com/uploads/1/3/0/7/130738951/zidizew_ruxagovepagen.pdf
- https://cdn.shopify.com/s/files/1/0436/9291/6891/files/tibumevigoduze.pdf
- https://cdn.shopify.com/s/files/1/0429/7680/5013/files/rofifabonemofanoti.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/63529720688.pdf
- https://cdn.shopify.com/s/files/1/0429/1733/1100/files/remigevelepiduxotanemoku.pdf
- https://cdn.shopify.com/s/files/1/0432/5546/4104/files/4861407605.pdf
- https://cdn.shopify.com/s/files/1/0440/0090/3318/files/61166039577.pdf
- https://cdn.shopify.com/s/files/1/0434/0911/3253/files/25542546193.pdf
- https://cdn.shopify.com/s/files/1/0430/0167/5939/files/46676632794.pdf
- https://cdn.shopify.com/s/files/1/0431/1141/5959/files/zadogikenufawom.pdf
- https://cdn.shopify.com/s/files/1/0432/7807/4020/files/48571073567.pdf
- https://cdn.shopify.com/s/files/1/0430/2936/4885/files/mokivazawojumewiwafozike.pdf
- https://cdn.shopify.com/s/files/1/0431/9408/9635/files/zofos.pdf
- https://cdn.shopify.com/s/files/1/0432/4042/3592/files/binary_to_gray_code_conversion_truth_table.pdf
- https://www.cancer.gov/coronavirus
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000075cd.bin61c6b90e0749b92c5a74998da2e70653dc5cb65238729dac13681f90b1d7e9dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x75CD | 5476 bytes |
font_01_sfnt_off0000887b.binc9b7554e42441fa4719c7ec30388a352412509b2cc516184c2280299c5e24a0b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x887B | 11032 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.