MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a large number of external links, many of which point to SEO-optimized PDF files hosted on Shopify. One of the primary links directs to a known malicious redirector, ttraff.cc, which is likely used to obscure the final malicious destination. The document body contains garbled text but includes the target URL, suggesting a lure for users interested in car sales. No scripts were extracted, and the primary malicious activity is driven by the embedded links.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=2015+acura+tl
- http://files.trophyhutinc.com/uploads/1/3/1/0/131071167/kuvapakapudalilifi.pdf
- http://files.eggzotika.com/uploads/1/3/1/4/131453451/8455033051.pdf
- http://files.littlefootfoods.ca/uploads/1/3/1/6/131607027/fc516f.pdf
- http://files.hiddenspringfarmleicesterlongwools.com/uploads/1/3/1/4/131437246/xuzegipegupaxe_vefaz.pdf
- https://cdn.shopify.com/s/files/1/0432/0067/6001/files/lopipope.pdf
- https://cdn.shopify.com/s/files/1/0430/9201/7305/files/a_force_a_pull.pdf
- https://cdn.shopify.com/s/files/1/0436/1771/4338/files/reverse_the_string_in_java.pdf
- https://cdn.shopify.com/s/files/1/0433/5131/0488/files/noxakebela.pdf
- https://cdn.shopify.com/s/files/1/0431/7996/6628/files/602857967.pdf
- https://cdn.shopify.com/s/files/1/0437/8283/2280/files/fogutiwiwegawaju.pdf
- https://cdn.shopify.com/s/files/1/0432/2741/4696/files/sexijejizabiga.pdf
- https://cdn.shopify.com/s/files/1/0432/7496/1059/files/93011173024.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pajovi.pdf
- https://cdn.shopify.com/s/files/1/0437/3191/0821/files/rune_factory_frontier_bachelorettes.pdf
- https://cdn.shopify.com/s/files/1/0436/9920/8346/files/sigma_alt_code.pdf
- https://cdn.shopify.com/s/files/1/0433/1392/2206/files/67617203116.pdf
- https://cdn.shopify.com/s/files/1/0429/5327/7589/files/synonyme_und_antonyme_deutsch_pdf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007ebb.bind02af02adf235af13456dd5cdd4744415c98ce6788eeeb69babef9f84845b5df |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7EBB | 4472 bytes |
font_01_sfnt_off00008df1.bin1190e462b449ae103ec02da66b6d65e932e2cb1882688fc6fa1809b060f5fc82 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8DF1 | 15160 bytes |
font_02_sfnt_off0000bcc4.bin1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBCC4 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.