MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains multiple embedded links, including one pointing to a known malicious redirector infrastructure at 'ttraff.me'. The document body and heuristics indicate a lure for downloading software, specifically mentioning 'towelroot v1 apk download'. The presence of numerous external PDF links suggests a link farm designed to attract search engine traffic and potentially distribute malware. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=towelroot+v1+apk+download
- http://zorumot.yrpm.ca/uploads/1/3/0/7/130775565/763de2.pdf
- http://files.littlelotuswellness.com/uploads/1/3/1/4/131405977/xuxagit.pdf
- http://files.nruzycki.com/uploads/1/3/2/3/132302963/1056549.pdf
- https://76a5ac18-70cd-413f-85a0-991c05070f4a.filesusr.com/ugd/70e7d4_890ce8ae309e430a9cff075cbf7df3b4.pdf?index=true
- https://67ad27be-671b-4133-a2ca-34567acc1bdb.filesusr.com/ugd/98e298_1987b7e6aa42421ea94732624b68539c.pdf?index=true
- https://fe739324-2664-4e0a-97e0-0ed75d107b4a.filesusr.com/ugd/f967ac_5e57b6149cff4bbbb0ed81465da73412.pdf?index=true
- https://8b10138e-e1f3-40d3-9397-30f95ff654eb.filesusr.com/ugd/0a052f_76916c0dc8f54ba4be0b1715faba743e.pdf?index=true
- https://bbe97897-9334-40e4-933e-5784d3b3d431.filesusr.com/ugd/84a5c6_17446f9d50e64ccf957158d131c688c1.pdf?index=true
- https://f008be9d-ff5a-4de7-a70d-624661165c24.filesusr.com/ugd/6cf392_3eaf847de44e42098020310e537a5d2f.pdf?index=true
- https://ab72c2e8-a771-4a9c-95e7-3530b19af9d8.filesusr.com/ugd/e2f7e1_2b1e087a009c47ada6eedb4e92776caa.pdf?index=true
- https://f406d812-8548-4fb2-81d7-baab8ab6e80c.filesusr.com/ugd/c70c35_0c235ff806fc48ff9bb88b378a219349.pdf?index=true
- https://ee7d70c6-29cc-4bcd-bacd-a86b8156c615.filesusr.com/ugd/23a6c3_0f405eefb120490c9ac5b0322d2fb275.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005706.bin9e459dfac096766b37f4193669912f364582a2ccaad2c9fee690d16bd0ef9eb8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5706 | 4992 bytes |
font_01_sfnt_off0000682d.bina8a9dec4dd6611648b951f1abc4817a7fc3876ed88c52b04c76f03020038b504 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x682D | 10104 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.