MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains numerous embedded links, a common technique for SEO link farms and redirectors. The primary malicious URL, https://ttraff.ru/pify?keyword=how+to+search+a+pdf+document+in+windows+10, is identified as a malicious redirector. The document body, though partially corrupted, contains text related to searching PDFs, suggesting a lure to disguise the malicious intent. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=how+to+search+a+pdf+document+in+windows+10
- http://gofaxoze.yiannishouseofpizza.com/uploads/1/3/1/6/131606758/lapasovukerogo.pdf
- http://datizaru.dawnscarzellamd.com/uploads/1/3/0/9/130969204/7b5fbb6af25.pdf
- http://files.catholictriparish.org/uploads/1/3/0/8/130813095/5188336.pdf
- http://files.greenfielddevllc.org/uploads/1/3/2/8/132814439/3ad43ac93043.pdf
- https://cdn.shopify.com/s/files/1/0431/4021/9037/files/37362416869.pdf
- https://cdn.shopify.com/s/files/1/0437/7791/7090/files/46583788526.pdf
- https://cdn.shopify.com/s/files/1/0432/7217/5781/files/45174713241.pdf
- https://cdn.shopify.com/s/files/1/0431/8799/4792/files/71874493130.pdf
- https://cdn.shopify.com/s/files/1/0437/4393/6673/files/50340307987.pdf
- https://cdn.shopify.com/s/files/1/0428/2259/8823/files/33807997339.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/34680977850.pdf
- https://cdn.shopify.com/s/files/1/0435/6374/5441/files/bixujabudonasozanuro.pdf
- https://cdn.shopify.com/s/files/1/0429/3731/9590/files/16235307749.pdf
- https://cdn.shopify.com/s/files/1/0437/9148/3042/files/install_xgboost_python.pdf
- https://cdn.shopify.com/s/files/1/0430/4538/8442/files/luguboguluzeximoz.pdf
- https://cdn.shopify.com/s/files/1/0433/7257/6922/files/kixodidesovekojilodi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/semigo.pdf
- https://cdn.shopify.com/s/files/1/0431/4379/0760/files/waridogiwumiwul.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006a0e.bineaee360cb369c08ade1b4c7d54ff30a3a22f91fb94a5b50ba287471b05f882ab |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A0E | 5612 bytes |
font_01_sfnt_off00007d0b.bin1e0996036ebd0868122f979bab5a589091305bc40badb5050c0a6493056670a7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D0B | 10200 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.