MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF contains a malicious redirector link pointing to 'ttraff.com', which is flagged as malicious. Additionally, it hosts a large number of external PDF links, many pointing to 'static.usrfiles.com', suggesting a link farm or SEO abuse tactic. The document body, though heavily obfuscated, contains the target URL and mentions 'QR code lure', indicating a social engineering attempt to direct users to malicious content. No scripts were extracted, but the presence of malicious links and the link farm heuristic strongly suggest a phishing or malware distribution attempt.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
QR-code redirect lure medium SE_QR_LUREDocument instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=lego+worlds+legendary+coordinates
- https://static.usrfiles.com/ugd/be19e1_e313bb05d8a94d79bfda4a6806eb84be.pdf
- https://static.usrfiles.com/ugd/b8c837_65e21b207f954b5aa20bf575f0bf44ab.pdf
- https://static.usrfiles.com/ugd/a640e9_00019a0d51db40cfa9599a9a6d19101f.pdf
- https://static.usrfiles.com/ugd/fd7405_f5a4cf8246974897bf363cc1a8248f9d.pdf
- https://static.usrfiles.com/ugd/850f07_edda2871653742d989e37c67b7d559af.pdf
- https://static.usrfiles.com/ugd/b27199_d11b99a2ac4540cdae738a63e04114f1.pdf
- https://static.usrfiles.com/ugd/b8c837_c339c8983be644e3b4c99bf180b96e90.pdf
- https://static.usrfiles.com/ugd/b8c837_f17c6554e1ce4a27b2ea7a8688aa29ca.pdf
- https://static.usrfiles.com/ugd/bb13a2_1a349ff9a4c64a46888ec1580a50ec60.pdf
- https://static.usrfiles.com/ugd/a18aa6_7ab0d6ae593f470182b023fd9c616d70.pdf
- https://static.usrfiles.com/ugd/b8c837_7fb9aedc51804b0da9bd5ac73ec33ef4.pdf
- https://static.usrfiles.com/ugd/b8c837_fa1ed2993df2487d960fe704b1703569.pdf
- https://static.usrfiles.com/ugd/04e6f9_2272cf1e0057491c80489721bad85344.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000062a2.bine46b56ee1fb24e1c4e244ae616f75f5caee88219bf8d7824a2e2fe579156f097 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x62A2 | 5240 bytes |
font_01_sfnt_off0000749e.bind0eb6c7dd80ca6984824f6793c507558b46999a7ef62651c342b75d39b10916f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x749E | 12856 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.