MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a malicious redirector. The primary malicious URL identified is https://ttraff.ru/wix?keyword=adobe+audition+cc+2018, which is likely used to lure victims. The document body, though heavily obfuscated, also contains this URL, reinforcing its role in the attack. The presence of a large link farm suggests an attempt to obscure the true destination or to leverage SEO techniques for distribution.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=adobe+audition+cc+2018
- https://static.usrfiles.com/ugd/b52961_bd9dc7c4c08a4f7fa9463616cab1d7ed.pdf
- https://static.usrfiles.com/ugd/12f4eb_03037238a0764d96bb925ab091e248ef.pdf
- https://static.usrfiles.com/ugd/97368a_17511a1b216b426b8bb84a7a5f6405b6.pdf
- https://static.usrfiles.com/ugd/40512e_9ffe7d9fc83647128c725cda72fbd16c.pdf
- https://cdn.shopify.com/s/files/1/0447/8212/5205/files/alpha_beta_pruning_in_artificial_intelligence.pdf
- https://cdn.shopify.com/s/files/1/0446/6071/9779/files/95789465613.pdf
- https://cdn.shopify.com/s/files/1/0439/4372/3163/files/baradalodipomiz.pdf
- https://static.usrfiles.com/ugd/f515ca_2cff7ce401394427a226cb237d2e0699.pdf
- https://static.usrfiles.com/ugd/07e02c_f0c16b0476d244cf84e15565cb03545b.pdf
- https://static.usrfiles.com/ugd/0c268c_f4553d85458e4854820915fb0e4acaf0.pdf
- https://cdn.shopify.com/s/files/1/0436/9616/0921/files/xutedopaxibiwejubupa.pdf
- https://cdn.shopify.com/s/files/1/0430/5344/9365/files/adventurers_guide_5e.pdf
- https://cdn.shopify.com/s/files/1/0457/5297/5516/files/wodipezumifepolopigudu.pdf
- https://cdn.shopify.com/s/files/1/0432/2027/1259/files/janesville_movie_theater.pdf
- https://cdn.shopify.com/s/files/1/0431/4054/6721/files/69425556780.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000066af.binad6b4f76809b3fa46f828f1d4d31edce04b160bdeb1fded3e270ba31d887846e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66AF | 5400 bytes |
font_01_sfnt_off00007918.bin8d7e0451461f75ac1d9cf877dfde88428fca48f9cbf29fc9207b0b8be17574b1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7918 | 5156 bytes |
font_02_sfnt_off00008ab2.bin5340c9e748ce8e8d447b157cd50a2c3b56c33b11abd438599a47124b67223e92 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8AB2 | 10684 bytes |
font_03_sfnt_off0000aea0.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAEA0 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.