MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. The document body, though heavily obfuscated, contains the text 'Filler guide fairy tail' and the malicious URL, suggesting a lure to a scam or phishing site. The PDF also contains a large number of embedded links, flagged by PDF_SEO_LINK_FARM, which are likely part of a link farm to improve SEO for malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=filler+guide+fairy+tail
- https://cdn.shopify.com/s/files/1/0429/4452/8550/files/like_a_prayer_choir_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0434/0157/6604/files/exponent_rules_worksheets.pdf
- https://cdn.shopify.com/s/files/1/0427/7246/3772/files/analysing_advertisements_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0431/0905/6668/files/suwevorutasumixebaxudafes.pdf
- https://cdn.shopify.com/s/files/1/0432/1778/0896/files/likojobisufuledudixax.pdf
- https://cdn.shopify.com/s/files/1/0432/4166/8772/files/faziwizukawozumowapus.pdf
- https://cdn.shopify.com/s/files/1/0437/0412/3557/files/kuxoxekuwapoxobusuj.pdf
- https://cdn.shopify.com/s/files/1/0431/7285/5957/files/savukokuboxesurotiferos.pdf
- https://cdn.shopify.com/s/files/1/0428/2623/6071/files/bestand_kleiner_maken_mac.pdf
- https://cdn.shopify.com/s/files/1/0431/4929/5776/files/free_bar_graph_template.pdf
- https://cdn.shopify.com/s/files/1/0437/4052/8792/files/how_many_weeks_in_month.pdf
- https://cdn.shopify.com/s/files/1/0439/5152/1947/files/xipawasozubi.pdf
- https://cdn.shopify.com/s/files/1/0439/1036/5339/files/crimsom_room_walkthrough.pdf
- https://cdn.shopify.com/s/files/1/0457/5651/4460/files/sonimumobujoxidelo.pdf
- https://cdn.shopify.com/s/files/1/0431/5276/9192/files/fikix.pdf
- https://cdn.shopify.com/s/files/1/0430/8526/7097/files/58312784832.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007ada.bina70a2b338df3ffc76847d3cd834b0f7673cf2c8ca0e6e31370ebfc43505074cb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7ADA | 4620 bytes |
font_01_sfnt_off00008aa8.bin431e5ac13c176eee2bbc9e87bfa47dcb46aae4ce5cceff27d7a2d597c2fded7c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8AA8 | 15964 bytes |
font_02_sfnt_off0000bbc3.bina542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBBC3 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.