MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file was flagged as malicious by a machine learning classifier and contains a large number of embedded links, many pointing to external resources. One critical heuristic identified a link to known malicious redirector infrastructure at https://ttraff.ru/wix. The document body contains garbled text but includes the same suspicious URL, suggesting a potential lure or redirection mechanism. The presence of numerous links, including one to a known malicious redirector, indicates a likely attempt to manipulate search engine results or direct users to harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=suzuki+violin+school+violin+part+vol
- https://cdn.shopify.com/s/files/1/0428/8633/2575/files/25537402740.pdf
- https://cdn.shopify.com/s/files/1/0428/3603/3695/files/atraves_de_mi_ventana_ariana_godoy.pdf
- https://cdn.shopify.com/s/files/1/0434/5623/3638/files/baldur_s_gate_android.pdf
- https://cdn.shopify.com/s/files/1/0434/6871/8233/files/refuz.pdf
- https://static.usrfiles.com/ugd/b8c837_79014978337143ef8aa256f3ebac420b.pdf
- https://static.usrfiles.com/ugd/726ec9_70131fc80e0f40329122323f3b351a90.pdf
- https://static.usrfiles.com/ugd/7dd30d_c6c6f3604dc144458b63be8b5a12c71d.pdf
- https://static.usrfiles.com/ugd/b8c837_eeb644a8260646139682e89063430a1d.pdf
- https://static.usrfiles.com/ugd/ce0e6d_59bc8e0881234af9a2b2ad307d572775.pdf
- https://static.usrfiles.com/ugd/83d902_2ee08eb11ac24b8d9218c2284a4171df.pdf
- https://static.usrfiles.com/ugd/b8c837_958296bf50a54ab59f4d998d3d98c7f3.pdf
- https://static.usrfiles.com/ugd/b8c837_421e14b7ca234560853dc5bebd232cee.pdf
- https://static.usrfiles.com/ugd/5438e3_c195acad8eb34a649d47ea2b07d96cf4.pdf
- https://static.usrfiles.com/ugd/0047a4_937f1140887e41dd9124e31a57ab8bce.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000054a3.bin9a7a2d1b12c3a5f8c7f0c43873e601cfbe82f6c2b1fa41834ab227d86b6c66de |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x54A3 | 5300 bytes |
font_01_sfnt_off000066a4.bin848896cf457369ceb2ebb178444f9d27adb4e45fed993c3afa5e5a9570930887 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66A4 | 15092 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.