MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a redirector URL, which is a common tactic for delivering malicious payloads or phishing pages. The document body, though heavily obfuscated, contains text related to 'cracking the money code trading pdf manual', suggesting a lure to entice users to click the malicious link. The presence of numerous Shopify links, while many are benign, indicates a potential link farm strategy to obscure the malicious destination. The ML classifier strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=cracking+the+money+code+trading+pdf+manual
- https://cdn.shopify.com/s/files/1/0434/2890/5127/files/video_twitter_tanpa_app.pdf
- https://cdn.shopify.com/s/files/1/0431/3510/7233/files/tunelevedozodewebasa.pdf
- https://cdn.shopify.com/s/files/1/0434/4751/7349/files/19207647409.pdf
- https://cdn.shopify.com/s/files/1/0435/4850/8311/files/aadhar_card_format.pdf
- https://cdn.shopify.com/s/files/1/0431/1184/1958/files/54658264171.pdf
- https://cdn.shopify.com/s/files/1/0450/7552/9891/files/apostrophe_worksheet_grade_3.pdf
- https://cdn.shopify.com/s/files/1/0434/7353/5138/files/16160486716.pdf
- https://cdn.shopify.com/s/files/1/0437/0972/6874/files/tweakbox_app_slow.pdf
- https://cdn.shopify.com/s/files/1/0431/3553/3218/files/prontuario_cemento_armato_santarella.pdf
- https://cdn.shopify.com/s/files/1/0438/4853/2128/files/tibisafazisonoruz.pdf
- https://b45d1d4f-8480-4a00-a4b7-145408e722ee.filesusr.com/ugd/b7306e_1b46bf297f4a407792c92736065e0fad.pdf?index=true
- https://43faa5e8-fbb1-4417-a1a2-20b363750730.filesusr.com/ugd/7603ae_5fc36482b36f469580f17e474fbbb137.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/3550/8392/files/85849011631.pdf
- https://cdn.shopify.com/s/files/1/0429/9954/6010/files/68195501571.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000062c3.bin98cae60e3f884ae13742104483ef0fece5a364d3def7d6983d63290eb17d405e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x62C3 | 5460 bytes |
font_01_sfnt_off00007531.bind384b74c0cded260c6338fc1a8320e7fcf5a26f87e8e7c6bf48c8362d3860270 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7531 | 10560 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.