MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.cc/pify?keyword=mapa+mundi+en+blanco+pdf`. This URL is embedded within the document body, disguised as a link to a blank world map PDF. The PDF also exhibits characteristics of a link farm, with numerous external links, many hosted on `cdn.shopify.com`. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be social engineering, luring the user to click the malicious link.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=mapa+mundi+en+blanco+pdf
- http://files.jfubaysidedevelopments.com/uploads/1/3/2/6/132681336/wibibilopalativu.pdf
- http://redanogu.juliehortonphoto.com/uploads/1/3/2/7/132710797/3aa0df9174.pdf
- http://files.forahumanfuture.org/uploads/1/3/0/8/130814208/dijalir-burikixupewiba.pdf
- https://cdn.shopify.com/s/files/1/0440/5189/0341/files/22833648155.pdf
- https://cdn.shopify.com/s/files/1/0436/6503/1321/files/mumenomoxose.pdf
- https://cdn.shopify.com/s/files/1/0440/8508/4310/files/28917651513.pdf
- https://cdn.shopify.com/s/files/1/0431/8406/2622/files/73498971129.pdf
- https://cdn.shopify.com/s/files/1/0436/9501/4056/files/rabonoluvaxedisefibove.pdf
- https://cdn.shopify.com/s/files/1/0429/8535/7463/files/jugusurofupimuxuxe.pdf
- https://cdn.shopify.com/s/files/1/0431/6240/2967/files/sogofumoboki.pdf
- https://cdn.shopify.com/s/files/1/0430/9159/1317/files/sakedara.pdf
- https://cdn.shopify.com/s/files/1/0431/5981/4306/files/nikitorovaseripomuxetopo.pdf
- https://cdn.shopify.com/s/files/1/0434/5734/7741/files/rewusadijere.pdf
- https://cdn.shopify.com/s/files/1/0439/7072/3998/files/kebogonenotuxekanunelej.pdf
- https://cdn.shopify.com/s/files/1/0438/4007/7981/files/craft_inc_business_planner.pdf
- https://cdn.shopify.com/s/files/1/0431/4903/3640/files/nrsv_bible.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f40.bin75b536709291e41917abf0ab2c4cff8029a778e690bbaef8c4229b8e2badd6e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F40 | 5172 bytes |
font_01_sfnt_off000080d3.bin1a0a60aa9051bf8fa9d1ab65bd262ebedaf37770a4d93233e2b01409f0615c0b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x80D3 | 12424 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.