MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a heuristic firing for a malicious redirector link, which points to 'ttraff.me'. The document body, though heavily obfuscated, contains the same URL and appears to be a lure related to sheet music. The presence of a large number of external PDF links, many pointing to 'static.usrfiles.com', suggests a link farm or content distribution network used to host malicious or deceptive content. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=carol+of+the+bells+pentatonix+sheet+music
- https://static.usrfiles.com/ugd/b8c837_6573bfaeffc24253bee62bc962877ac2.pdf
- https://static.usrfiles.com/ugd/f3ecbe_64650e8dc112427fa58ca3ceadd610e3.pdf
- https://static.usrfiles.com/ugd/fdee49_c33f525b50644848a07d1cbbc1936fec.pdf
- https://static.usrfiles.com/ugd/77941b_017669a621354724aa0e4cf3adb8610b.pdf
- https://static.usrfiles.com/ugd/576447_e49bf40056c14a569628fa2d91306919.pdf
- https://static.usrfiles.com/ugd/4826f5_c40f4ca769d94dc2bf7dc682928552a9.pdf
- https://static.usrfiles.com/ugd/ae15ca_fcc9d9a1877c452181a06514695a067a.pdf
- https://static.usrfiles.com/ugd/b5472a_e000c4cd84b44443b14cfb9d8d8cb6d1.pdf
- https://static.usrfiles.com/ugd/b8c837_1e529965e6e147beb781697430368693.pdf
- https://static.usrfiles.com/ugd/0c8cc8_cf00bdad937646ebb74a934cc927eed0.pdf
- https://cdn.shopify.com/s/files/1/0433/9000/9502/files/16186345476.pdf
- https://cdn.shopify.com/s/files/1/0428/3249/4751/files/juvudos.pdf
- https://cdn.shopify.com/s/files/1/0440/5841/1160/files/xofomanoxolusasi.pdf
- https://cdn.shopify.com/s/files/1/0428/6195/3191/files/foxit.pdf
- https://cdn.shopify.com/s/files/1/0429/9682/6273/files/35358868258.pdf
- https://cdn.shopify.com/s/files/1/0433/8286/6072/files/lonorixavemowarut.pdf
- https://cdn.shopify.com/s/files/1/0432/6375/4404/files/4446637089.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000061d1.binc373016ae832b73b4f260a45ef9fbfce8ebbbb64e36dfef12a337d7e66acb5f9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x61D1 | 5368 bytes |
font_01_sfnt_off000073eb.binc0d004f8f6bf633000ee25c69c45f1ce038999c91f7914fbf4fc8b12c4080c4b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x73EB | 14764 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.