MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=trinet+passport+login', which is designed to lure users into a phishing scenario. Additionally, the document exhibits characteristics of a callback phishing lure, suggesting the user should contact a provided number in a security or billing context. The presence of a large number of embedded links, many pointing to Shopify domains, indicates a link farm strategy to obscure the malicious destination. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=trinet+passport+login
- http://files.j-west.net/uploads/1/3/0/7/130775286/redinizubotorenene.pdf
- http://files.yellowlanternproductions.com/uploads/1/3/1/4/131438419/2654884.pdf
- http://files.devoted-disciple.com/uploads/1/3/0/7/130775980/6b80b4fadf.pdf
- http://files.windmillgsd.com/uploads/1/3/1/4/131437275/kerosef.pdf
- https://cdn.shopify.com/s/files/1/0433/7316/6744/files/manireko.pdf
- https://cdn.shopify.com/s/files/1/0431/6217/3602/files/55871731736.pdf
- https://cdn.shopify.com/s/files/1/0427/3173/3159/files/22314242860.pdf
- https://cdn.shopify.com/s/files/1/0434/8834/6262/files/fenodinapironedukawewi.pdf
- https://cdn.shopify.com/s/files/1/0438/6642/3456/files/nugebeforufovi.pdf
- https://cdn.shopify.com/s/files/1/0437/3423/7333/files/pebapagaridulipugekuj.pdf
- https://cdn.shopify.com/s/files/1/0431/6823/5682/files/dasupadovo.pdf
- https://cdn.shopify.com/s/files/1/0433/7870/4536/files/41157945434.pdf
- https://cdn.shopify.com/s/files/1/0436/7548/4313/files/turiwopajaziki.pdf
- https://cdn.shopify.com/s/files/1/0436/9822/5320/files/49017741236.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005af9.binbe171e87f0abf3a02e130b90523bce9a2f2c41c85459af64c25b9382cc139d85 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5AF9 | 4936 bytes |
font_01_sfnt_off00006bd1.bine980fc5e498c448a6c9ce32eed435a4eb0d37e9af82551fd128ebe86a59af848 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6BD1 | 10656 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.