MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a prominent link promising a 'line play gem hack', which redirects to the malicious URL ttraff.ru. This URL is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains the same lure text and URL. The presence of numerous links to Shopify PDFs suggests a link farm tactic to improve search engine ranking for malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=line+play+gem+hack
- http://files.coastalcandyphotography.com/uploads/1/3/0/9/130969545/namebetepogaf.pdf
- https://cdn.shopify.com/s/files/1/0451/2923/6645/files/arjuna_award_2020.pdf
- https://cdn.shopify.com/s/files/1/0432/8721/6293/files/83211351523.pdf
- https://cdn.shopify.com/s/files/1/0430/8772/4704/files/bosch_fridge_manual.pdf
- https://cdn.shopify.com/s/files/1/0429/6887/5157/files/87182261240.pdf
- https://cdn.shopify.com/s/files/1/0431/1826/4469/files/s_p_name_status_video.pdf
- https://cdn.shopify.com/s/files/1/0433/7418/2563/files/dosojepurigoganexopubi.pdf
- https://cdn.shopify.com/s/files/1/0432/2466/2173/files/3591195968.pdf
- https://cdn.shopify.com/s/files/1/0430/0875/3827/files/61569594667.pdf
- https://cdn.shopify.com/s/files/1/0435/3202/6008/files/pexigepa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005089.binc6740cbe68cfea56b7d9ba9a340135e75d2084a2f4b8c9e45b9bba63f72e5343 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5089 | 5180 bytes |
font_01_sfnt_off00006202.binf187bb83f403962fd5ede0c989533cb7a4a925d59e1fab53e55243a4822de9bd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6202 | 2876 bytes |
font_02_sfnt_off00006e57.bin3707e3e8b96538697cd5d364ede454d652150c0b91b96d5a3fcb5c0b6b89919d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E57 | 15020 bytes |
font_03_sfnt_off00009d2e.binb6cb87855678982a456548db43ca2fd93da4381cd1ddb043a23bcc45d07733c9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9D2E | 17092 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.