MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1566 Phishing
T1059 Command and Scripting Interpreter
The PDF file contains a lure for a fake "Android TV app update pending" notification, directing users to install a browser extension or update. This is supported by the 'SE_BROWSER_INSTALL_LURE' heuristic. The primary malicious URL, 'https://ttraff.cc/pify?keyword=android+tv+app+update+pending', is identified as a malicious redirector. The document also hosts a large number of benign-looking PDFs on Shopify, likely for SEO manipulation to increase visibility of the malicious lure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=android+tv+app+update+pending
- http://files.arsfabricandi.com/uploads/1/3/0/7/130775197/puselib.pdf
- http://ditav.matusnursingreview.com/uploads/1/3/1/3/131384635/8968919.pdf
- http://files.stevewestgroup.com/uploads/1/3/0/7/130740256/pajibizitazuvat.pdf
- https://cdn.shopify.com/s/files/1/0436/6965/1606/files/taxonomy_of_plants.pdf
- https://cdn.shopify.com/s/files/1/0432/2502/2621/files/54862809505.pdf
- https://cdn.shopify.com/s/files/1/0431/4162/8072/files/16152263901.pdf
- https://cdn.shopify.com/s/files/1/0428/8747/9455/files/kanibiga.pdf
- https://cdn.shopify.com/s/files/1/0433/0127/3758/files/54424568497.pdf
- https://cdn.shopify.com/s/files/1/0428/3016/8230/files/warhammer_40k_8th_edition_missions.pdf
- https://cdn.shopify.com/s/files/1/0432/7584/5792/files/apprendre_python_rapidement.pdf
- https://cdn.shopify.com/s/files/1/0428/0185/6679/files/putova.pdf
- https://cdn.shopify.com/s/files/1/0434/3549/1490/files/sign_adobe_with_topaz.pdf
- https://cdn.shopify.com/s/files/1/0433/6294/3127/files/divanowililemaru.pdf
- https://cdn.shopify.com/s/files/1/0435/9569/4239/files/napatetetigivikoditu.pdf
- https://cdn.shopify.com/s/files/1/0435/9893/8274/files/gm_owners_manual.pdf
- https://cdn.shopify.com/s/files/1/0429/0910/6343/files/lamolojuzofejudaru.pdf
- https://cdn.shopify.com/s/files/1/0436/2957/6352/files/82877557261.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/liwisubusamepumiv.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000662e.binbda820a3227f7164483634a3945fc907fb29fcf51abfb03437b097351de02794 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x662E | 4968 bytes |
font_01_sfnt_off00007727.bin3b314d12a67b8a9d1b42710f7da8e7128847e3fc585909eb5258d0d3e82b01cb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7727 | 10624 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.