Malware Insights
The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=open+enrollment+2020+california'. The document body, though partially corrupted, also contains this URL and text related to 'open enrollment 2020 california', suggesting a lure. Additionally, a PDF link farm heuristic indicates the presence of numerous external links, with the first being 'https://f62f8cb5-62d5-49ab-96f4-d1ba69492d9e.filesusr.com/ugd/4aae87_6dbd75d5659a4d03bfd4938a456e84c7.pdf?index=true'. The ML classifier also strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=open+enrollment+2020+california
- https://f62f8cb5-62d5-49ab-96f4-d1ba69492d9e.filesusr.com/ugd/4aae87_6dbd75d5659a4d03bfd4938a456e84c7.pdf?index=true
- https://113b5b62-a2f7-45bc-82cf-ba602d8fa8c2.filesusr.com/ugd/bf0735_f5b3514b04b44ef79e3d93f9cb999cec.pdf?index=true
- https://ce94d720-675f-4bb2-a5bf-c76f96be7744.filesusr.com/ugd/3bcfef_c7fe6ecaeb2344da9100a2445809de31.pdf?index=true
- https://89c8f6cc-c674-4952-953a-c151319104ec.filesusr.com/ugd/668a47_71dd9d2cecee4c3a83d058493e9cc6b6.pdf?index=true
- https://cdn.shopify.com/s/files/1/0429/7375/7603/files/muzup.pdf
- https://cdn.shopify.com/s/files/1/0432/7918/8118/files/brucellose_oie.pdf
- https://cdn.shopify.com/s/files/1/0440/2449/6286/files/assembly_language_programming_8086_examples.pdf
- https://cdn.shopify.com/s/files/1/0431/0581/2633/files/roxelogosotokupivojidifam.pdf
- https://cdn.shopify.com/s/files/1/0430/3428/0090/files/99531024746.pdf
- https://cdn.shopify.com/s/files/1/0434/6911/1449/files/3495885051.pdf
- https://cdn.shopify.com/s/files/1/0428/6775/3116/files/gimoret.pdf
- https://cdn.shopify.com/s/files/1/0462/6907/1511/files/xarovosiva.pdf
- https://eec1d889-bf61-4be7-856c-d2a9fc091142.filesusr.com/ugd/f95141_e17e20c50b7d4025b5894e5ef722c2ed.pdf?index=true
- https://7b33439e-7bf8-4702-bc96-e24a08751545.filesusr.com/ugd/c0fca2_c00f17b18a194ee580256abedca62845.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006b8a.bind0bcc3224ab238476c76afce5645a05d97dbca48fa2341d10c6067a148e10ada |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B8A | 5284 bytes |
font_01_sfnt_off00007d6a.bine596b2ec78acbd415b370f5dd17d31190df692e39782a709292bc07ce3a3dba0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D6A | 10748 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.