MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with the primary one leading to a Shopify domain. The document body, though heavily obfuscated, contains text related to 'examen de matematicas primer grado p' and the wkhtmltopdf tool, suggesting a lure to disguise the malicious intent. The primary malicious URL is 'https://ttraff.com/wix?keyword=examen+de+matematicas+primer+grado+p'.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=examen+de+matematicas+primer+grado+p
- https://cdn.shopify.com/s/files/1/0434/6563/8050/files/simplesmente_acontece_download.pdf
- https://cdn.shopify.com/s/files/1/0435/0623/7604/files/71454933129.pdf
- https://cdn.shopify.com/s/files/1/0434/0888/3870/files/29417603525.pdf
- https://cdn.shopify.com/s/files/1/0434/4253/6598/files/24152666090.pdf
- https://cdn.shopify.com/s/files/1/0428/2014/1223/files/77557540643.pdf
- https://cdn.shopify.com/s/files/1/0433/0523/8688/files/alfonsina_storni_poemas.pdf
- https://static.usrfiles.com/ugd/b8c837_3bb1240c36df4070a09f433bd2f94fb8.pdf
- https://static.usrfiles.com/ugd/2b3f46_64bc60f7f3634f2f988b14e7b7dfd3cc.pdf
- https://static.usrfiles.com/ugd/8ba634_ba4f90fbbb2d4aa68afe3fa66aedb5e4.pdf
- https://static.usrfiles.com/ugd/b8c837_63be9aad80654b8fbedc3e38fa9dc152.pdf
- https://static.usrfiles.com/ugd/b8c837_1779f72805b5484d8595fa4a2d796370.pdf
- https://static.usrfiles.com/ugd/b8c837_2e001332d39b4cd69e54935833f64099.pdf
- https://static.usrfiles.com/ugd/b8c837_946e224b9e224da3ba33e5d7e7495b8f.pdf
- https://static.usrfiles.com/ugd/b8c837_c025833d1d234c23969e4c6b46ed53dd.pdf
- https://static.usrfiles.com/ugd/b8c837_95e3fd9b63754def9f9f155dcc2c4c7c.pdf
- https://static.usrfiles.com/ugd/07625c_6bae7d810f234ea08e31210ff9b96dae.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005178.bindd6be07290cb90896275e027bc7c263bc9bcb0abc30f12c6f3138b34e9d50e4b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5178 | 5384 bytes |
font_01_sfnt_off000063b5.bin4e851a9299819c492281345a7941eb45eb1c99cafa6c333a8425d5397620fee9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x63B5 | 14640 bytes |
font_02_sfnt_off00008fb0.bin073dee480399a0a44f59834a72d2ef372219071628d3787cc95d902351e1adc0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8FB0 | 16124 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.