MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link farm designed to redirect users to malicious infrastructure, specifically to 'https://ttraff.me/wix?keyword=amoeba+sisters+video+recap+answers+natural+selection'. The document body, though heavily obfuscated, contains this same URL, indicating a lure to a potentially harmful site. The presence of numerous other PDF links suggests a broad SEO poisoning or link farm strategy.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=amoeba+sisters+video+recap+answers+natural+selection
- https://cdn.shopify.com/s/files/1/0430/1350/5185/files/sabobawalagoz.pdf
- https://cdn.shopify.com/s/files/1/0438/3100/1250/files/10982402689.pdf
- https://cdn.shopify.com/s/files/1/0432/1135/8372/files/walmart_employee_handbook.pdf
- https://static.usrfiles.com/ugd/64d889_2691295b80f14ed9a0ce2524be1753a6.pdf
- https://static.usrfiles.com/ugd/fb5067_bf7225a283794d44937505bca7734e81.pdf
- https://static.usrfiles.com/ugd/9bd8c3_a912d9c83a55475ebf9382796b7a7959.pdf
- https://static.usrfiles.com/ugd/e8dba5_0d364b70635841feb382de3700e3ca64.pdf
- https://static.usrfiles.com/ugd/1be480_3c4598c379ed475e884b932d02d4154a.pdf
- https://static.usrfiles.com/ugd/db93e9_491142241882457888c3a5a3239c06a9.pdf
- https://static.usrfiles.com/ugd/930050_858a60a28288408b9f5e0d1e986214ae.pdf
- https://static.usrfiles.com/ugd/10b11f_da91d4b61f6645d991d45884d7b5cfdc.pdf
- https://static.usrfiles.com/ugd/3ed902_470d9769345c4b20a72549d95e456c1d.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000442e.bine1bf3e806099061ff84a83df5e81b18424ca837809ed31e8f869b3e326830e3b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x442E | 5500 bytes |
font_01_sfnt_off000056da.bin39fd71cf75991d2ded5c3e6d2ce234ef34154bc5cf814cd8c00114333f1c0c95 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x56DA | 9404 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.