MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text suggesting it is a lure for a manual, likely to trick users into clicking the malicious link. The presence of numerous other PDF links, many hosted on Shopify and static.usrfiles.com, indicates a link farm strategy to obscure the ultimate destination. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=miller+maxstar+150+stl+owners+manual
- https://cdn.shopify.com/s/files/1/0431/5152/4008/files/33349354592.pdf
- https://cdn.shopify.com/s/files/1/0430/1871/5289/files/3120760891.pdf
- https://cdn.shopify.com/s/files/1/0437/9725/0205/files/borug.pdf
- https://cdn.shopify.com/s/files/1/0432/7086/5052/files/public_speaking_topics.pdf
- https://cdn.shopify.com/s/files/1/0433/5029/4687/files/remote_control_john_deer.pdf
- https://static.usrfiles.com/ugd/b8c837_ba489bf9134d4ab685139343aed42a73.pdf
- https://static.usrfiles.com/ugd/b8c837_02be4e9ddc814943ae020a14cdcfa3df.pdf
- https://static.usrfiles.com/ugd/b8c837_02d3e4587d254423a7fbd95ea432ab12.pdf
- https://static.usrfiles.com/ugd/b8c837_03e7ce6df96048598ab3c47108988558.pdf
- https://static.usrfiles.com/ugd/b8c837_3d8f19c115ae440c85890e15b3f8a894.pdf
- https://static.usrfiles.com/ugd/b8c837_10c165ccca2648dea3ce9a573b0be4fb.pdf
- https://static.usrfiles.com/ugd/b8c837_15da5ebc1360471ab55a8ca19d7e0308.pdf
- https://static.usrfiles.com/ugd/b8c837_de9313b406d64784937543534630954f.pdf
- https://static.usrfiles.com/ugd/b8c837_95b63f57fc54495db8ce1454c6586e8f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004a37.bindf4994fcd85165ffd898528d241fde597657f71d74777e3178ddd094fe533198 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4A37 | 5316 bytes |
font_01_sfnt_off00005c53.bin05ce755fec49270d5d3baf0e9a50e1e88e7005b009ce6d3dbc8cef11ffb53e96 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C53 | 13752 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.