MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains numerous links, including one to a known malicious redirector infrastructure at 'ttraff.cc'. The document body, despite being heavily obfuscated, contains text related to 'free personification worksheets 4th grade' and the malicious URL, suggesting a lure to trick users into clicking the link. The ML classifier strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=free+personification+worksheets+4th+grade
- https://static.usrfiles.com/ugd/ad2ade_0cc160aa4f714997a1deaee8a39a3a3b.pdf
- https://static.usrfiles.com/ugd/33ab24_24a36a010f3e4d85b3a554fb5984a341.pdf
- https://static.usrfiles.com/ugd/b8c837_0ea82feab48846e2affe08e1fd49485a.pdf
- https://static.usrfiles.com/ugd/b8c837_7d37cacaac1b4d3b83e38fa871d2ed5f.pdf
- https://static.usrfiles.com/ugd/b8c837_1c31454b5c9f4623b96c73110c8518bf.pdf
- https://static.usrfiles.com/ugd/b8c837_0b30166810744730a5fff6f5805142f8.pdf
- https://cdn.shopify.com/s/files/1/0431/7328/1948/files/60888800063.pdf
- https://cdn.shopify.com/s/files/1/0430/6200/1825/files/47482739363.pdf
- https://static.usrfiles.com/ugd/b8c837_e1ecea4fb2ef4005905eea90850c4860.pdf
- https://static.usrfiles.com/ugd/7ff653_b0bb28c3de7c4126bdd6e9e2747998d7.pdf
- https://static.usrfiles.com/ugd/7e0eb0_307da24e9e8e43a9898ad1d5149442fc.pdf
- https://static.usrfiles.com/ugd/5ecadc_aa14541c389e4f2a8a1f662d8057461a.pdf
- https://static.usrfiles.com/ugd/b8c837_db43475c013b4a038cbe994afa5ee37f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005c62.bin55dd26c9dc7fbd5795fe550ae3cfd210563ef74f869e0c5f169599d6b0d2d4bf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C62 | 5584 bytes |
font_01_sfnt_off00006f7c.binaabe84d2721811be7c061e76751276acccc9002c2595db7696b0d98a120ed758 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F7C | 10024 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.