MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1200 Hardware Add-in
The PDF file was flagged by a machine learning classifier and contains numerous embedded links. One critical heuristic identified a link to known malicious redirector infrastructure at 'https://ttraff.ru/pify?keyword=ffxiv+how+to+refer+a+friend'. Another critical heuristic indicated a PDF link farm with 26 external links, many hosted on Shopify. The document body, though heavily obfuscated, also contains the URL 'https://ttraff.ru/pify?keyword=ffxiv+how+to+refer+a+friend', suggesting a deliberate attempt to lure users to this malicious site.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=ffxiv+how+to+refer+a+friend
- http://buwuw.cicadabridal.com/uploads/1/3/1/0/131070678/b271db683ade2.pdf
- http://jisog.simonikigweba.com/uploads/1/3/2/6/132695742/af793414f.pdf
- https://cdn.shopify.com/s/files/1/0437/8125/9421/files/luzomijozudivokar.pdf
- https://cdn.shopify.com/s/files/1/0434/3355/8168/files/vikings_wallpaper_android.pdf
- https://cdn.shopify.com/s/files/1/0432/2754/5757/files/61333431725.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78682713185.pdf
- https://cdn.shopify.com/s/files/1/0438/2133/4688/files/708902875.pdf
- https://cdn.shopify.com/s/files/1/0428/2938/1791/files/physical_science_grade_11_term_3_test.pdf
- https://cdn.shopify.com/s/files/1/0429/0550/1852/files/tilanasenijakifaz.pdf
- https://cdn.shopify.com/s/files/1/0432/3006/8894/files/34024104135.pdf
- https://cdn.shopify.com/s/files/1/0429/3492/7513/files/android_development_mac_os.pdf
- https://cdn.shopify.com/s/files/1/0427/5470/3526/files/39159350406.pdf
- https://cdn.shopify.com/s/files/1/0432/5621/7750/files/abbyy_transformer_2._0_full_version_free_download.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006103.bin07da1e1445e6e440eb09e49faa0be9072b09c9de4f7d5fe3c580c25c7d5f7042 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6103 | 4960 bytes |
font_01_sfnt_off000071f6.bin50e9f633d11a6e496204851695c49b65a3f7eaf9306b4df260ea1949e3e6c29b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x71F6 | 10312 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.