MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a link farm and a specific malicious redirector URL, indicating a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the text 'Helen keller worksheets for 3rd grade' and the malicious URL 'https://ttraff.me/wix?keyword=helen+keller+worksheets+for+3rd+grade', suggesting a lure to trick users into clicking the link. The presence of numerous other PDF links further supports the link farm heuristic.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=helen+keller+worksheets+for+3rd+grade
- http://fizejema.churchoftheholyspirit.org/uploads/1/3/2/6/132696558/e16e73.pdf
- http://logul.boostfitness.co.uk/uploads/1/3/0/7/130775309/6537297.pdf
- http://kunuruku.breedengallery.com/uploads/1/3/2/7/132740829/7213947.pdf
- http://files.livepurebodycare.com/uploads/1/3/2/6/132681438/gusitefa.pdf
- https://b08921c9-ee94-4b31-9366-7952f41c29c0.filesusr.com/ugd/a382ee_f8ac7120001e4d0383c124db6248f3fe.pdf?index=true
- https://fd169d0c-b088-413b-89f5-7d0e9bd35afb.filesusr.com/ugd/3b0c81_58fccc24c99a409595973c62e4fce042.pdf?index=true
- https://fac2db32-8e98-4cad-bfc6-d8843c82e520.filesusr.com/ugd/c7a620_781ec32b085f4369a927a89f563b0486.pdf?index=true
- https://1d06ba43-cb9c-4d8a-9011-023fb448ca96.filesusr.com/ugd/dc8a8e_7e87d414225f46a29b45960e1e2bb1db.pdf?index=true
- https://cdn.shopify.com/s/files/1/0437/2830/6330/files/41823203274.pdf
- https://cdn.shopify.com/s/files/1/0434/5724/9430/files/munukixiwakifuja.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tedix.pdf
- https://cdn.shopify.com/s/files/1/0429/8797/8913/files/equipment_rental_agreement_template_south_africa.pdf
- https://cdn.shopify.com/s/files/1/0440/1430/5430/files/glu_credits_hack_apk.pdf
- https://cdn.shopify.com/s/files/1/0470/8981/1614/files/89584713160.pdf
- https://cdn.shopify.com/s/files/1/0431/1062/9532/files/60171520214.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000633b.bin89c7b40cfbd8bcd1287e3eca78d16038dab6fb8bd4a211a3a5fd02e505b3d56e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x633B | 5192 bytes |
font_01_sfnt_off000074e7.bindd6fba2e9760fe36b68974296d509bd3d65f6073c394d8ee466696c5d9f877fd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x74E7 | 10576 bytes |
font_02_sfnt_off000098cd.bin4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x98CD | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.