MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO manipulation or traffic redirection. One critical heuristic identified a direct link to known malicious redirector infrastructure at `https://ttraff.cc/wb?keyword=craftsman%2020%20gallon%20air%20compressor%20manual`. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wb?keyword=craftsman%2020%20gallon%20air%20compressor%20manual
- http://files.nayaritbeachfrontproperties.com/uploads/1/3/2/7/132710763/279501a6593fde.pdf
- http://files.jackiecheuvront.com/uploads/1/3/1/4/131454172/b48c3e2b491c5f9.pdf
- http://files.johnlalla.com/uploads/1/3/1/4/131453393/nefuxaxikozodiguza.pdf
- http://files.spamitzvah.com/uploads/1/3/1/3/131384789/2268709.pdf
- https://cdn.shopify.com/s/files/1/0431/1564/3042/files/66572363160.pdf
- https://cdn.shopify.com/s/files/1/0432/1312/7835/files/82796634670.pdf
- https://cdn.shopify.com/s/files/1/0432/5729/9097/files/33073583526.pdf
- https://cdn.shopify.com/s/files/1/0432/6345/9496/files/reba_fancy_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0434/9889/7574/files/ruwimade.pdf
- https://cdn.shopify.com/s/files/1/0428/2312/3100/files/77492846043.pdf
- https://cdn.shopify.com/s/files/1/0438/6055/7974/files/gebejewizupavobavoj.pdf
- https://cdn.shopify.com/s/files/1/0434/7386/2808/files/lateral_thinking_meaning.pdf
- https://cdn.shopify.com/s/files/1/0434/1058/7800/files/gojidare.pdf
- https://cdn.shopify.com/s/files/1/0439/6944/6046/files/nifomuvapaladoruteset.pdf
- https://cdn.shopify.com/s/files/1/0429/2660/4447/files/58532992547.pdf
- https://cdn.shopify.com/s/files/1/0431/5879/8492/files/79427070587.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005f37.bin26b17a8076dd2389a5295da587c71d8e399aeaadb14abd955afb788140123c15 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5F37 | 5516 bytes |
font_01_sfnt_off000071dc.bincb43f45585de0b2a2072fb8d68a7325aaf3ee701b292d65c21e8e6197b37cb51 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x71DC | 10176 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.