MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.com. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, including one hosted on cdn.shopify.com. The ML classifier also strongly indicated maliciousness. The document body appears to be largely obfuscated or corrupted, preventing a detailed content analysis, but the presence of the malicious redirector is sufficient to determine the attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=acgih+2020+portugues+pdf
- http://files.gracemehm.com/uploads/1/3/2/6/132695560/xatuvi.pdf
- http://files.purrfectcup.com/uploads/1/3/1/6/131637529/sugazo.pdf
- http://files.pcconfections.com/uploads/1/3/0/7/130775619/taveleba_misup_xosagasovul.pdf
- http://files.pureblissbodyconfections.com/uploads/1/3/1/8/131856125/zadomazemel-midewoke.pdf
- http://files.justaboutpetswc.ca/uploads/1/3/0/7/130775690/jobaxarivurerigusan.pdf
- http://files.pureblissbody
- https://cdn.shopify.com/s/files/1/0431/9304/1053/files/95946799714.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mojedisubeweful.pdf
- https://cdn.shopify.com/s/files/1/0431/4356/1384/files/tovudedifufupa.pdf
- https://cdn.shopify.com/s/files/1/0440/5608/4630/files/64072827640.pdf
- https://cdn.shopify.com/s/files/1/0434/3644/1767/files/84982312362.pdf
- https://cdn.shopify.com/s/files/1/0435/7577/1304/files/kurunojajipil.pdf
- https://cdn.shopify.com/s/files/1/0437/3594/1274/files/79132487243.pdf
- https://cdn.shopify.com/s/files/1/0434/6377/0274/files/98323168071.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/96704933611.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53293114795.pdf
- https://cdn.shopify.com/s/files/1/0436/4327/3369/files/37182809523.pdf
- https://cdn.shopify.com/s/files/1/0428/4206/3004/files/bovugogesosuvelaz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000064e6.bina231b3d2ee0970db8b84f7717f61d8f5d7515f35985bc506add5e0ba90849ea4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64E6 | 5216 bytes |
font_01_sfnt_off000076c9.bin4ca9683b9ddd5701d7fb38ba8aaa4b2722ebc00defc079e62f20d5985a4496ea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76C9 | 11004 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.