MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of external links, many pointing to Shopify domains hosting other PDFs, suggesting a link farm for SEO poisoning. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.ru/pify?keyword=asma+ul+husna+malayalam+pdf'. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=asma+ul+husna+malayalam+pdf
- http://files.missionroadsdachurch.com/uploads/1/3/1/4/131438819/35a36b26c.pdf
- http://files.jenniferrosewebster.com/uploads/1/3/1/8/131856435/f0f544827c05485.pdf
- http://mapumi.bodyworkharmonics.com/uploads/1/3/2/6/132681556/penakevuvodire_fawaj_fasojuw_xutozomi.pdf
- https://cdn.shopify.com/s/files/1/0429/5763/5735/files/kadedaxajiwutipobexino.pdf
- https://cdn.shopify.com/s/files/1/0434/0196/9820/files/zesubukovilutujivutenuzuv.pdf
- https://cdn.shopify.com/s/files/1/0429/5521/0905/files/2_phones_lyrics_clean.pdf
- https://cdn.shopify.com/s/files/1/0435/6512/1699/files/google_drive_reader.pdf
- https://cdn.shopify.com/s/files/1/0434/2366/2236/files/88902605587.pdf
- https://cdn.shopify.com/s/files/1/0427/7973/8278/files/fujetugajudasebojilalod.pdf
- https://cdn.shopify.com/s/files/1/0438/2133/4690/files/maveriduzu.pdf
- https://cdn.shopify.com/s/files/1/0430/0642/7299/files/81819699966.pdf
- https://cdn.shopify.com/s/files/1/0435/8068/6497/files/gemeviluvabol.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pigirerunozekolufis.pdf
- https://cdn.shopify.com/s/files/1/0433/0700/8168/files/oscillatory_motion.pdf
- https://cdn.shopify.com/s/files/1/0431/6866/1670/files/kamonexof.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0000c1c6.binbc779f2eb87730d2587db1d8352777b064c399e52b47a448ae35dd46b604ec00 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xC1C6 | 28960 bytes |
font_00_sfnt_off00006c15.bine360eff424eebc3380701f7360e6257b5fcc5ceea54bd1a0a7f46853e4651e30 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6C15 | 5276 bytes |
font_01_sfnt_off00007de7.bina777ec3c9c1809f0d851ab666b8e2a0385466f959ef2432958bbe52dd746c838 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7DE7 | 9108 bytes |
font_02_sfnt_off00009cf5.bin085d393bea79c2a90aff04af0338f4f49fd392ff8ad4bef2cdb0d063104a3bbd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9CF5 | 10788 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.