MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains multiple embedded links, including one pointing to a known malicious redirector at 'https://ttraff.cc/pify?keyword=kids+simonandschuster+com+dork+diaries+videos'. This redirector likely leads to a phishing page or a malware download. The presence of a large number of external PDF links, many hosted on Shopify, suggests a link farm designed to manipulate search engine results for malicious purposes. No scripts were extracted, but the embedded URLs are the primary indicators of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=kids+simonandschuster+com+dork+diaries+videos In PDF document text
- https://dudikojegak.weebly.com/uploads/1/3/1/4/131406444/809870fb2.pdfIn PDF document text
- https://risimukino.weebly.com/uploads/1/3/1/3/131383953/7377752.pdfIn PDF document text
- https://vopevejefed.weebly.com/uploads/1/3/1/6/131606133/fitureji_benonudurivel_vunodekuvos_xapilirav.pdfIn PDF document text
- https://komamopiragi.weebly.com/uploads/1/3/4/4/134444029/pazogi_jetibulamo.pdfIn PDF document text
- https://tenasusuboziwid.weebly.com/uploads/1/3/4/3/134349012/nudusiwaxo-gavef-lagetuxig.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cdn.shopify.com/s/files/1/0480/7367/0820/files/65902530842.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0481/7521/8837/files/karod.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0500/0157/6086/files/gixudavetomomuvulires.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0440/7597/4821/files/mewodenifiguz.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0268/9010/9097/files/83747497205.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7d3d41a2-666d-43c4-b0c7-5be700749195/bugakazuvemosem.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0461/8276/0601/files/43684892809.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4df2d684-06b7-48a0-86d0-930b8d227eb1/narovibuxevajagekogatejun.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2cae0cb1-22c0-4d48-8ea2-f13cdbbc912a/download_the_forbidden_kingdom_full_movie.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9797859a-b0fd-4bca-95f4-f9d2486a3c3e/kawoworosodogiti.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0496/5377/6548/files/gusadiref.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/08ade327-48ac-4921-8520-4dcf42f97e34/fapevipugetu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ebca16e6-8aba-4d13-8c86-30a0b9ce091c/liludipirirorubupemin.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0480/1108/3935/files/tubemate_download_for_android_6.1.1_free.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bc7dc182-1b7a-404c-a0a8-096f85a86715/11387200171.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004ad8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4AD8 | 5240 bytes |
SHA-256: 3d7b42013d8fe58acf1bbaab199a29cc8dbb916494dc849aea7a26366e99e3ee |
|||
font_01_sfnt_off00005c7d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C7D | 9452 bytes |
SHA-256: cc84c83ed7d6319267d6469d8c53ff1e0fd3238e7518c028986b69bd642fc75a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.