MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF was flagged by multiple critical heuristics indicating malicious redirector links and a link farm. The ML classifier also strongly indicated maliciousness. The document body contains the text 'Five steps to risk assessment hse pdf' and numerous URLs, including a suspicious one hosted on 'ttraff.ru' which is identified as a malicious redirector. The presence of a large number of external links suggests an attempt to lure users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=five+steps+to+risk+assessment+hse+pdf
- http://files.artcebu.com/uploads/1/3/0/8/130814859/rerowesen.pdf
- http://files.ashlandday.com/uploads/1/3/1/6/131636675/295edc6d1f6609.pdf
- http://files.rachellelabellesbooks.com/uploads/1/3/1/8/131857304/17094d495744.pdf
- https://cdn.shopify.com/s/files/1/0429/0763/1779/files/niriku.pdf
- https://cdn.shopify.com/s/files/1/0434/4964/7264/files/63420464122.pdf
- https://cdn.shopify.com/s/files/1/0435/3831/7464/files/kokugafemizefabuzi.pdf
- https://cdn.shopify.com/s/files/1/0430/9565/4564/files/57437176235.pdf
- https://cdn.shopify.com/s/files/1/0437/4901/5701/files/29123765095.pdf
- https://cdn.shopify.com/s/files/1/0429/5557/1353/files/41721934366.pdf
- https://cdn.shopify.com/s/files/1/0431/6758/0322/files/youtube_video_format.pdf
- https://cdn.shopify.com/s/files/1/0427/5650/5756/files/14146494698.pdf
- https://cdn.shopify.com/s/files/1/0430/9526/1348/files/argentometri_adalah.pdf
- https://cdn.shopify.com/s/files/1/0440/7610/5893/files/29891782257.pdf
- https://cdn.shopify.com/s/files/1/0447/2481/3977/files/john_deere_322.pdf
- https://cdn.shopify.com/s/files/1/0440/2210/4229/files/wudulirufoxoto.pdf
- https://cdn.shopify.com/s/files/1/0433/9544/8999/files/468789199.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000667e.binc02f37c3de41d5ca1b4f30d457090a562e98c708a834f14f609fb39ebc9e571d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x667E | 5328 bytes |
font_01_sfnt_off00007880.binf25e82494192bbd757d00a409e76b977b6d6e81f7e9a24fa7574f62afa01969a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7880 | 10216 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.