MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a link disguised as a worksheet for grade 1 students. This link, however, redirects to a known malicious domain (ttraff.com). The PDF also contains a large number of external links, many of which point to benign content, suggesting a link farm or SEO poisoning attempt. The presence of a 'download button' heuristic further supports the lure-based attack pattern. No scripts were extracted, but the primary malicious action is the redirection via the embedded link.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=cursive+writing+worksheet+for+grade+1
- https://static.usrfiles.com/ugd/934fc3_f1ce8729b93e4934ad13e67588d6017c.pdf
- https://static.usrfiles.com/ugd/b8c837_df087bd10e5f419e8aa4f439edae7421.pdf
- https://static.usrfiles.com/ugd/b8c837_854ccda3cc304d0586db2b2da9a270c3.pdf
- https://static.usrfiles.com/ugd/b916f4_b811db3865a541fea56dd6d2ea780b42.pdf
- https://static.usrfiles.com/ugd/b8c837_84925f555f054e87bcf7bacf60537fb1.pdf
- https://static.usrfiles.com/ugd/61b8bf_f78270790ef34f43ab27167da61f3d3c.pdf
- https://cdn.shopify.com/s/files/1/0431/2409/7191/files/gebij.pdf
- https://cdn.shopify.com/s/files/1/0438/0898/1153/files/sistema_cgs_tabla.pdf
- https://cdn.shopify.com/s/files/1/0428/9105/1161/files/christmas_colouring_sheet_free.pdf
- https://cdn.shopify.com/s/files/1/0434/8225/1421/files/julunefenajofukokado.pdf
- https://cdn.shopify.com/s/files/1/0437/4865/5265/files/ark_raptor_zhmen.pdf
- https://cdn.shopify.com/s/files/1/0432/6028/0982/files/rekiwitefatijadepepamax.pdf
- https://cdn.shopify.com/s/files/1/0438/1445/3410/files/74020515897.pdf
- https://cdn.shopify.com/s/files/1/0438/1592/7965/files/zawovurani.pdf
- https://cdn.shopify.com/s/files/1/0431/4536/3610/files/stormcast_eternals.pdf
- https://cdn.shopify.com/s/files/1/0428/3197/0471/files/kriteria_sepsis_neonatorum.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005be9.binee67f1b43148b557c5d7e03c7443b2b766ffc8a8f018975be7415b6981dce285 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5BE9 | 5312 bytes |
font_01_sfnt_off00006e10.bin205cef060ce9da8191a1100857e7f79cc98b41cbc355ae3b40196009f520284d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E10 | 10084 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.