MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF document was flagged as malicious by a machine learning classifier and contains a large number of embedded links. One of these links, https://ttraff.me/wix?keyword=alphabet+hebreu+francais+pdf, points to known malicious redirector infrastructure. The document body itself is heavily obfuscated and contains many URLs, suggesting a link farm or redirection scheme designed to lead users to malicious content. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=alphabet+hebreu+francais+pdf
- https://static.usrfiles.com/ugd/5360f8_be6cbf75b93e416183f18f522ceaf649.pdf
- https://static.usrfiles.com/ugd/e481ce_f340e19f3460494aaaf758b6ea2bde41.pdf
- https://static.usrfiles.com/ugd/a6e5e9_ab3b546ed8de4f0f8d2bcf9e39a1e06d.pdf
- https://static.usrfiles.com/ugd/3f2390_bd86144ca0964456a6bd4d2a3cd7598e.pdf
- https://cdn.shopify.com/s/files/1/0430/9703/0817/files/kodedubutilebonip.pdf
- https://cdn.shopify.com/s/files/1/0438/2353/0141/files/roferonolobojetavaxar.pdf
- https://static.usrfiles.com/ugd/7c41c1_dbfef1a2e29040fd992ac220081967a1.pdf
- https://static.usrfiles.com/ugd/c33cdb_6b6be36a452c48e8b422d89797dc49c8.pdf
- https://static.usrfiles.com/ugd/ff2e72_c0f5b0d910244ed084e8ce310d5fd4a0.pdf
- https://static.usrfiles.com/ugd/ef253e_a57d9b51684e448f985537e6ebddce7c.pdf
- https://static.usrfiles.com/ugd/ceb2e8_8b830efd196a4961af3e764493382e98.pdf
- https://static.usrfiles.com/ugd/d9d1f5_3f37b2a20b0d4b02a252a13290934cef.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006e77.bin7dfe6c81f4decee22725e7d6ab27472afc8aecba04a626ede323b9581a4f0c86 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E77 | 5372 bytes |
font_01_sfnt_off000080ac.bin53cf4622142d11c0d19c6b28d576ee727296f153c1ca00bac67c46ae937f7c81 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x80AC | 16268 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.