MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
This PDF file was flagged as malicious by an ML classifier and contains a critical heuristic indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/wix?keyword=blockly+games+movie+answers, which is the primary indicator of malicious intent. Additionally, the PDF hosts a link farm of other PDFs, likely for SEO poisoning or to obscure the malicious redirector.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=blockly+games+movie+answers
- https://cdn.shopify.com/s/files/1/0434/3191/9765/files/osrs_cox_solo_guide.pdf
- https://cdn.shopify.com/s/files/1/0431/8117/9029/files/puzoronena.pdf
- https://cdn.shopify.com/s/files/1/0429/8440/7199/files/how_does_wikileaks_get_its_information.pdf
- https://cdn.shopify.com/s/files/1/0439/1829/5195/files/interview_method_in_psychology.pdf
- https://cdn.shopify.com/s/files/1/0431/0047/1456/files/33136310797.pdf
- https://cdn.shopify.com/s/files/1/0463/2933/1869/files/89883317454.pdf
- https://cdn.shopify.com/s/files/1/0429/7146/3831/files/timorinixatepiteg.pdf
- https://cdn.shopify.com/s/files/1/0435/5575/0049/files/cell_differentiation_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0431/1636/3927/files/87621234331.pdf
- https://cdn.shopify.com/s/files/1/0431/4716/5850/files/cambridge_english_advanced_practice_tests_plus_2_2020.pdf
- https://cdn.shopify.com/s/files/1/0437/9390/7869/files/77661235.pdf
- https://cdn.shopify.com/s/files/1/0432/4573/2007/files/budikuzosoboremiv.pdf
- https://static.usrfiles.com/ugd/b8c837_65a89d287a984481afab65a9a83a6242.pdf
- https://static.usrfiles.com/ugd/f1780b_96dbbe70bf2346bda49ae4781e6e8ad3.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004432.bineb77f0b8cef6d1e26715835a497df27cd8091cebc79d1b25dbcb6591142f3f4e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4432 | 5484 bytes |
font_01_sfnt_off000056e1.bin8e22e23a4cb0654c1a176abe74af040834e2e97986eb9066b8d7d4ce12cb6516 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x56E1 | 9284 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.