MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.ru, which is disguised as a 'declarative and interrogative sentences worksheet 3rd grade'. This indicates a social engineering attempt to trick the user into visiting a malicious site. The ML classifier also strongly flagged this PDF as malicious. The presence of numerous links to external PDFs, many hosted on static.usrfiles.com, suggests a link farm or SEO poisoning tactic to improve search engine ranking for malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=declarative+and+interrogative+sentences+worksheet+3rd+grade
- https://static.usrfiles.com/ugd/b8c837_dd3e25d7631a44d99af8c9a5ed94781c.pdf
- https://static.usrfiles.com/ugd/7c30af_665a41b5ad3347fb826fe2b9f0f0986a.pdf
- https://static.usrfiles.com/ugd/fd3290_0e2f59fdb70f4d2e880916695f4ee63e.pdf
- https://static.usrfiles.com/ugd/e4a001_c9faa0bfbd2a48cbb46473bed3b8f377.pdf
- https://static.usrfiles.com/ugd/0a593f_78ceee5b45b1496f9cfe5d3b5ac9396e.pdf
- https://static.usrfiles.com/ugd/384ea4_9b08b1b67e6a473999e9580e810d4dbb.pdf
- https://static.usrfiles.com/ugd/b8c837_331ad7e87edc4c14a3869fe8a9245b56.pdf
- https://cdn.shopify.com/s/files/1/0431/6410/6908/files/gewagugijafovugofe.pdf
- https://cdn.shopify.com/s/files/1/0429/6222/3263/files/candy_crush_online_games_free.pdf
- https://cdn.shopify.com/s/files/1/0429/3158/5180/files/dijupep.pdf
- https://cdn.shopify.com/s/files/1/0430/2562/9335/files/case_study_research_pdf_example.pdf
- https://cdn.shopify.com/s/files/1/0440/8636/2264/files/aramco_operational_calendar_2019.pdf
- https://static.usrfiles.com/ugd/b6aaa0_ac4c19d4bad548578e57f6847227b728.pdf
- https://static.usrfiles.com/ugd/f967ac_a3ce852bc4fa4b8a99d9443b573ae695.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004650.bin97d9ac4ccfcee09eab876b1d54b97d578ac462ad0e49c5a39c215450c5224aa0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4650 | 5580 bytes |
font_01_sfnt_off00005966.bin85a4bf4349a14099769d70e334c56ece1b32fa7091d51b0744f9692122952cf3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5966 | 10252 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.