MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/123?keyword=vsam+status+codes'. This indicates the document's primary purpose is to lure the user to a malicious site. The presence of a large number of embedded links, many pointing to external PDFs, further supports a link farm or redirection strategy. No scripts were extracted, but the embedded URL is sufficient evidence of malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/123?keyword=vsam+status+codes
- https://cdn-cms.f-static.net/uploads/4372960/normal_5f984bd5b7a88.pdf
- https://seguronudolag.weebly.com/uploads/1/3/4/4/134468074/pedol.pdf
- https://cdn-cms.f-static.net/uploads/4366989/normal_5f926b6382e39.pdf
- https://zodowiburasuv.weebly.com/uploads/1/3/4/4/134448486/5445570.pdf
- https://zebazowis.weebly.com/uploads/1/3/4/3/134310266/mepipesexofulo.pdf
- https://cdn-cms.f-static.net/uploads/4366659/normal_5f8aa26a4564c.pdf
- https://papazutizo.weebly.com/uploads/1/3/4/4/134467207/4750295.pdf
- https://xipunozelizu.weebly.com/uploads/1/3/1/3/131382486/53acd061734.pdf
- https://cdn-cms.f-static.net/uploads/4382186/normal_5f903021d0bc2.pdf
- https://cdn-cms.f-static.net/uploads/4366661/normal_5f8757a396336.pdf
- https://zalopajozi.weebly.com/uploads/1/3/1/4/131453352/nojufovozoliz.pdf
- https://firedisivimi.weebly.com/uploads/1/3/0/9/130969818/9594397.pdf
- https://uploads.strikinglycdn.com/files/10200e31-a643-4a58-a9fc-035c53adf608/31207799937.pdf
- https://uploads.strikinglycdn.com/files/49ec67a7-a205-41b2-9828-cdebd8f0cb75/nikugif.pdf
- https://cdn.shopify.com/s/files/1/0482/2273/2445/files/honey_select_2_clothing.pdf
- https://cdn.shopify.com/s/files/1/0504/7920/2469/files/add_button_click_event_android_studio.pdf
- https://uploads.strikinglycdn.com/files/f1eaed33-2f9a-4479-ac2b-6bdf8e047c27/zubabekoxodaguwa.pdf
- https://cdn.shopify.com/s/files/1/0437/7663/9127/files/slim_framework_3_tutorial.pdf
- https://uploads.strikinglycdn.com/files/ad081ec6-0ad4-4777-8df6-a5fe55e63ef6/29985473725.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009289.binb79dd3c3a8efbf2228d7c3ade681f318c68af6b23ab63c540554f243908b4c7c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9289 | 4920 bytes |
font_01_sfnt_off0000a33a.binaa8484fbe5e04176e59277772c3e1dd4188432577227eff3df6ee46d47c23a0f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA33A | 10920 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.