MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a critical heuristic indicating it's a malicious redirector link, pointing to 'ttraff.ru'. This URL is presented to the user as a download for 'swing dance steps pdf'. The file also contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm or redirection strategy. The presence of a 'download button' heuristic further supports the lure. No scripts were extracted, and the document body is heavily obfuscated, but the primary attack pattern is clear: social engineering via a malicious link.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=swing+dance+steps+pdf
- http://files.refineaestheticsllc.com/uploads/1/3/1/4/131437806/b4996ec2.pdf
- http://files.nickbridwellwriter.com/uploads/1/3/1/8/131856234/buxojapimo.pdf
- http://files.lolas-ecec.org/uploads/1/3/1/6/131606859/e0e1eb0df5.pdf
- http://files.bestdealvacations.com/uploads/1/3/0/7/130740442/6441455.pdf
- http://files.jadeduo.com/uploads/1/3/2/6/132695862/7d88e.pdf
- https://cdn.shopify.com/s/files/1/0440/7469/6856/files/73137888909.pdf
- https://cdn.shopify.com/s/files/1/0433/9263/0940/files/nbte_curriculum_for_business_administration.pdf
- https://cdn.shopify.com/s/files/1/0430/6649/1041/files/33464600270.pdf
- https://cdn.shopify.com/s/files/1/0431/8520/9506/files/76718394398.pdf
- https://cdn.shopify.com/s/files/1/0432/9019/8180/files/icao_security_annex_17.pdf
- https://cdn.shopify.com/s/files/1/0447/0204/0217/files/latomol.pdf
- https://cdn.shopify.com/s/files/1/0431/4162/8053/files/4450828041.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vofelowuloluvazoriwonub.pdf
- https://cdn.shopify.com/s/files/1/0429/6137/1290/files/69642451888.pdf
- https://cdn.shopify.com/s/files/1/0430/0272/4506/files/john_deere_sabre_14._5_38_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/5729/9097/files/5358529738.pdf
- https://cdn.shopify.com/s/files/1/0428/7637/1110/files/kerinatosimik.pdf
- https://cdn.shopify.com/s/files/1/0430/8307/1650/files/92476493500.pdf
- https://cdn.shopify.com/s/files/1/0432/7551/8107/files/besipenorawikipax.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000062a3.bine697c43210c3a1a1fbb715e72bd2c261295721d7d7d34082ec025b6ea4d98a42 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x62A3 | 5392 bytes |
font_01_sfnt_off0000751e.bin5c8a3f4c30b2339a415cef70e93a12ab25bc3bd99fc74707ec53f4d9790dc32b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x751E | 10136 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.