MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a link to a known malicious redirector, ttraff.cc, which is disguised as an educational worksheet. The file also contains a large number of external links, many hosted on cdn.shopify.com, suggesting a link farm or SEO poisoning tactic. The primary malicious URL is likely intended to lead the user to a phishing or malware distribution site.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wb?keyword=convert%20fractions%20to%20decimals%20worksheet%20year%206
- http://files.cflacu.com/uploads/1/3/1/3/131398477/2217734.pdf
- http://files.americanfamilypublications.com/uploads/1/3/0/8/130874328/4720908.pdf
- http://files.mysunshinedistributors.com/uploads/1/3/0/8/130873828/mokeminabarur_rodituku_nezidopi.pdf
- http://files.fittogohealthandfitness.com/uploads/1/3/2/6/132695365/jiromeredidebej.pdf
- http://files.fittog
- https://cdn.shopify.com/s/files/1/0433/2906/1014/files/pewupipuxi.pdf
- https://cdn.shopify.com/s/files/1/0430/3690/1527/files/13965574690.pdf
- https://cdn.shopify.com/s/files/1/0430/1458/6521/files/mamabaxetajoteru.pdf
- https://cdn.shopify.com/s/files/1/0429/2821/0073/files/69843928273.pdf
- https://dojuzemis.files.wordpress.com/2020/07/37946561920.pdf
- https://duwopizemole.files.wordpress.com/2020/07/72803749003.pdf
- https://nusovegot.files.wordpress.com/2020/07/28660731875.pdf
- https://gunobuw.files.wordpress.com/2020/06/87455404953.pdf
- https://vozopowu.files.wordpress.com/2020/06/tokegodufitagipexawef.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/20597849085.pdf
- https://cdn.shopify.com/s/files/1/0428/3806/5308/files/lofajakiduwok.pdf
- https://cdn.shopify.com/s/files/1/0427/8022/9791/files/jomon.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pawatofamilafal.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/72707516801.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mijafovaginidobu.pdf
- https://cdn.shopify.com/s/files/1/0433/0379/6894/files/kelalofo.pdf
- https://cdn.shopify.com/s/files/1/0428/9508/1625/files/tilejak.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007b19.bina21353f5850b1c84f35ae94a32e8746310e7be3f89892c3a0a64d71ccb762170 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7B19 | 5544 bytes |
font_01_sfnt_off00008ddd.bina2e1871e73fac0dc1ab6aa6514ffd6653b29df039ac626d0e762b8b2325c68db |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8DDD | 10568 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.