MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=missile+guidance+and+control+systems+pdf'. Additionally, it features a large number of external PDF links, many hosted on Shopify, suggesting a link farm SEO abuse tactic. The ML classifier also strongly flagged this PDF as malicious. The primary attack vector appears to be social engineering via a deceptive link within the document.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=missile+guidance+and+control+systems+pdf
- https://cdn.shopify.com/s/files/1/0432/0555/8436/files/88080801516.pdf
- https://cdn.shopify.com/s/files/1/0434/5410/3713/files/90810891410.pdf
- https://cdn.shopify.com/s/files/1/0434/1425/7815/files/tudalazalet.pdf
- https://cdn.shopify.com/s/files/1/0465/5126/9526/files/58621363770.pdf
- https://cdn.shopify.com/s/files/1/0435/1174/2628/files/carmin_nuvi_760.pdf
- https://static.usrfiles.com/ugd/b8c837_9e4d68cb59ec4e08b0337687bd48d99e.pdf
- https://static.usrfiles.com/ugd/b8c837_458f48793b4545df8b1088134a520bba.pdf
- https://static.usrfiles.com/ugd/b8c837_df1e1e1c7dc249658be1a42a5f020220.pdf
- https://static.usrfiles.com/ugd/b8c837_b5cfaea357d74801a4863968279feb0a.pdf
- https://static.usrfiles.com/ugd/b8c837_8c8a9f9fdaf245c5bb33594a03a051e2.pdf
- https://static.usrfiles.com/ugd/b8c837_2f3a30c779d64caa82f7c8d520bb5d73.pdf
- https://cdn.shopify.com/s/files/1/0428/7728/8611/files/58087794867.pdf
- https://cdn.shopify.com/s/files/1/0438/8211/9323/files/neumonia_nosocomial_definicion.pdf
- https://cdn.shopify.com/s/files/1/0432/6401/6539/files/71537980985.pdf
- https://cdn.shopify.com/s/files/1/0431/8612/7009/files/81502554804.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008717.bin8fd769e7eb78c1ebddecda76d05273298a9c5205e37e8d4fd34d12ba169a0082 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8717 | 5580 bytes |
font_01_sfnt_off00009a09.bina1ba91c4191e896e6934410c19fa4771d1b07186f67ce2b5e6629c8a5c28fdce |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9A09 | 10296 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.