MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains multiple embedded links, including one to a known malicious redirector (ttraff.link) and a large number of links to external PDFs hosted on various domains. The document body, though partially corrupted, contains text suggesting it is a 'Classic blacksmithing guide', which is likely a lure. The ML classifier strongly flagged this PDF as malicious, and the presence of a link farm indicates an attempt to distribute malicious content or engage in SEO poisoning.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=classic+blacksmithing+guide
- http://files.infinitecreative.com/uploads/1/3/0/9/130969663/a1864548e400.pdf
- http://muzex.sankofaeducationservices.net/uploads/1/3/1/0/131071164/e084eae6a.pdf
- http://bamos.missdayteaches.com/uploads/1/3/0/8/130874493/5216920.pdf
- http://nimet.musicaturing.com/uploads/1/3/0/8/130813855/durobem-dologoxowufed-xikunaxoxabume.pdf
- https://fb55f095-af3c-4161-8d44-8968aa81118c.filesusr.com/ugd/3f1130_55854ada35fb4523b12f673d381d5487.pdf?index=true
- https://ac2a886e-0256-4bb0-9d0d-57bb8c8d3e16.filesusr.com/ugd/ad2ade_bf17925772be40d394d17dfe234a7314.pdf?index=true
- https://d863f6e8-44c9-49b8-bfb8-3d7b1f113ef1.filesusr.com/ugd/fe83c3_62d145eeebe9418cbfad72138899338b.pdf?index=true
- https://da4f5a7a-2818-4a74-8954-946bc40bf40d.filesusr.com/ugd/771ea4_e14f69eec25748119151e745ba824459.pdf?index=true
- https://d3279fb3-52a7-4d23-987f-4ebdb249a25d.filesusr.com/ugd/76aeb6_8d98152984e14d31813fcb867935a248.pdf?index=true
- https://e8790b80-b953-4fe7-9f50-079e7cce3648.filesusr.com/ugd/de3d83_62b89ab179de404fa9595160bc21fcc6.pdf?index=true
- https://e2a741c9-80ad-43c5-8bb5-c01352fb9713.filesusr.com/ugd/98857b_fb1bc98a6bd749d4a1e7f6851d4440b3.pdf?index=true
- https://f25a5d76-8c48-4312-b36c-5b6a9e87a823.filesusr.com/ugd/8bf3fc_76a1bf6b05454dfeb8a2b2304d110e25.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007d2c.bin1b0b6a7b54f8ef5426f08e51267c240d19b4d0d49766b77119178dca7b257b6b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D2C | 5364 bytes |
font_01_sfnt_off00008f3f.bin362b26d6009edd84ff7c2b4c988bf1f37c8988bd93bc4e310c23280e14902207 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8F3F | 10104 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.