Malware Insights
The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is https://ttraff.com/wb?keyword=pdf%20annotation%20windows%20surface, which is likely used to lure victims into clicking on seemingly legitimate content. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to improve search engine visibility for malicious content. No scripts were extracted, but the PDF structure and embedded links strongly indicate a phishing or redirection attempt.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=pdf%20annotation%20windows%20surface
- http://files.rochesterarealiteracycouncil.org/uploads/1/3/0/8/130813991/e47602e.pdf
- http://files.adventurerunningco.com/uploads/1/3/0/7/130740212/f88527119359.pdf
- http://pibase.liveresco.com/uploads/1/3/1/8/131871991/913643.pdf
- http://files.raveim.org/uploads/1/3/2/6/132682142/kaleko.pdf
- https://cdn.shopify.com/s/files/1/0427/6633/6167/files/69004823559.pdf
- https://cdn.shopify.com/s/files/1/0437/4147/9066/files/fotisavijasevezivulef.pdf
- https://cdn.shopify.com/s/files/1/0439/3874/2430/files/69365553307.pdf
- https://cdn.shopify.com/s/files/1/0429/6422/2101/files/desufez.pdf
- https://cdn.shopify.com/s/files/1/0435/6653/0721/files/13843753288.pdf
- https://cdn.shopify.com/s/files/1/0435/6620/3029/files/rekuwusawululekorol.pdf
- https://cdn.shopify.com/s/files/1/0432/4494/5571/files/cours_administration_systeme_linux.pdf
- https://cdn.shopify.com/s/files/1/0431/1059/6765/files/megabytes_to_bytes.pdf
- https://cdn.shopify.com/s/files/1/0432/6404/9318/files/online_converter_to_to_jpg.pdf
- https://cdn.shopify.com/s/files/1/0429/2640/7833/files/favanemopup.pdf
- https://cdn.shopify.com/s/files/1/0436/5703/5929/files/kusubedepe.pdf
- https://cdn.shopify.com/s/files/1/0431/7125/0333/files/nukudukokapirumezuped.pdf
- https://cdn.shopify.com/s/files/1/0432/6952/1568/files/metro_map_madrid_spain.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006e4b.binad097df6e4aa33687e6b7af9193e783136f9fe901b61e3a756e8e94210b28b2c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E4B | 5076 bytes |
font_01_sfnt_off00007fae.bineb3e92cc3370b00347b2ff2a812e43c0632814eaa8820005182bc88cf2d00811 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7FAE | 11696 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.