MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1200 Hardware Addends
T1059.001 PowerShell
The PDF contains multiple embedded URLs, with one identified as a malicious redirector. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically flags the URL https://ttraff.ru/wix?keyword=led+vs+incandescent as malicious. Additionally, the PDF_SEO_LINK_FARM heuristic indicates a large number of external links, suggesting a link farm or a method to obscure the true destination. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=led+vs+incandescent
- https://static.usrfiles.com/ugd/314c35_1dcab5b0fe6e40d5a3e7ccbfaf741f00.pdf
- https://static.usrfiles.com/ugd/2486b5_5c5c443bf45d448aa548ac71d85c56c8.pdf
- https://static.usrfiles.com/ugd/b8c837_ad69518613604b57992494a838919344.pdf
- https://static.usrfiles.com/ugd/7598fa_493312956a794d439d9071f108eb4eaf.pdf
- https://cdn.shopify.com/s/files/1/0430/8012/2532/files/vumoge.pdf
- https://cdn.shopify.com/s/files/1/0429/7962/3071/files/zegikomidepurixujuda.pdf
- https://cdn.shopify.com/s/files/1/0431/1020/3556/files/beamer_latex_example.pdf
- https://cdn.shopify.com/s/files/1/0437/7663/9127/files/aqua_barbie_remix_song.pdf
- https://cdn.shopify.com/s/files/1/0432/6073/9752/files/unblock_phone_numbers_on_android.pdf
- https://static.usrfiles.com/ugd/b8c837_714e8b6834044b54b35d2edd40928b03.pdf
- https://static.usrfiles.com/ugd/08fe48_ad1e62de73f2482d86947c4863f53dae.pdf
- https://static.usrfiles.com/ugd/0511f5_5841b0d70c67477ea3f086d6e7d84680.pdf
- https://static.usrfiles.com/ugd/c7ef1a_c1158f17348a442a8f5a0f5611ea75b6.pdf
- https://static.usrfiles.com/ugd/b8c837_9c5e88d230c347a6a819567be00ac3b9.pdf
- https://static.usrfiles.com/ugd/b65acf_e6cc40d82a154996ad8cc407ad0e5a47.pdf
- https://static.usrfiles.com/ugd/b8c837_0a4efbfdb90b458abc7854d09df9785c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off00008a3c.bineedff10d791170ff786bc66a1ad91f2f943bd10cd58d75c4f4e16ecbd60d5de9 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8A3C | 10836 bytes |
font_00_sfnt_off000079ce.binae9c5458a25beb03e64afc448257597a5017bbb18214cd53ba12755390b0126e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x79CE | 4804 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.