MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'ttraff.ru'. Additionally, it exhibits a PDF link farm pattern, embedding numerous external links, with the primary one being a potential lure. The ML classifier strongly supports the malicious nature of this PDF. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious documents.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=to%20be%20verb%20past%20tense%20worksheet
- http://files.faithgp.com/uploads/1/3/0/9/130969061/vixax.pdf
- http://files.businessmanagementorganizer.com/uploads/1/3/0/9/130969077/765f62582471.pdf
- http://files.greatplainsbeagles.com/uploads/1/3/0/8/130814868/5855319.pdf
- https://cdn.shopify.com/s/files/1/0430/7009/5521/files/kawetu.pdf
- https://cdn.shopify.com/s/files/1/0430/4555/2290/files/5902059437.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31995481059.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/metegemekipezafekude.pdf
- https://cdn.shopify.com/s/files/1/0434/4827/1000/files/84419498341.pdf
- https://dijilavuxiji.files.wordpress.com/2020/06/59808054058.pdf
- https://napipivo.files.wordpress.com/2020/06/83818228878.pdf
- https://dajovofad.files.wordpress.com/2020/06/83519874708.pdf
- https://jarojadum.files.wordpress.com/2020/06/87625604165.pdf
- https://nafevulaxa.files.wordpress.com/2020/07/wumite.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/20785775646.pdf
- https://cdn.shopify.com/s/files/1/0431/5525/9560/files/44111231728.pdf
- https://cdn.shopify.com/s/files/1/0427/9320/5916/files/19954011924.pdf
- https://cdn.shopify.com/s/files/1/0427/9622/0572/files/kuvesuk.pdf
- https://cdn.shopify.com/s/files/1/0428/8151/5673/files/ninomeziwikodedatud.pdf
- https://cdn.shopify.com/s/files/1/0431/1816/6167/files/89509635092.pdf
- https://cdn.shopify.com/s/files/1/0430/3015/1330/files/41907306845.pdf
- https://cdn.shopify.com/s/files/1/0429/6212/4959/files/goxelutanijize.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0434
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f24.bin42f4c8467f38fee531e016eb362220f37f9817886fd72062e4e6fb1e0cd20c5e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F24 | 4920 bytes |
font_01_sfnt_off00007fd6.bin3c04b6eed27bfe674035c3f9fc2a10843bc139cf442bccda6b9212105206e026 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7FD6 | 10644 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.