MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a link farm, with numerous embedded URLs. The document body, though partially garbled, contains text related to an invoice template, aligning with the 'SE_INVOICE_LURE' heuristic. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a phishing or malware-hosting site.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=nz+ird+tax+invoice+template
- https://static.usrfiles.com/ugd/01f9b9_ce4b4ee9e1f24efebc39ef5a201c1aad.pdf
- https://static.usrfiles.com/ugd/64db51_5f9be5f48602412286aa8fd5d23bbe3f.pdf
- https://static.usrfiles.com/ugd/bfbc46_e46d94bec6b446a683c090385ed2cdf8.pdf
- https://static.usrfiles.com/ugd/d9d1f5_17d3c15a09e94cc2b384117198497f31.pdf
- https://static.usrfiles.com/ugd/822ecd_7d566954e6ab4b6fa7b40aad487cae47.pdf
- https://static.usrfiles.com/ugd/764aaa_24804259c3ba4696a94aba483e9ec81d.pdf
- https://static.usrfiles.com/ugd/2c8d66_1fb992f5e5694603a658c4f4ef44579e.pdf
- https://static.usrfiles.com/ugd/b8c837_db409db4f6a241769f915350bc4ae4e7.pdf
- https://static.usrfiles.com/ugd/b47706_e3470f2427d9462f97535cbbb985c44c.pdf
- https://static.usrfiles.com/ugd/de65f7_73a6828e30b2459bb8f49e3527192ab4.pdf
- https://static.usrfiles.com/ugd/b8c837_adcf0e3d827b45dfb0d27593129c00a1.pdf
- https://static.usrfiles.com/ugd/824332_dba3457166724969bcab1add41288dee.pdf
- https://static.usrfiles.com/ugd/185811_4a2957da11b84f27b0843abf6e8e5eb9.pdf
- https://static.usrfiles.com/ugd/32777b_8bde8db7030f48a48da19eb4268d8839.pdf
- https://static.usrfiles.com/ugd/ced2dc_b3ef4113eef948209adb715a4fa74787.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000064f6.bin223f6f4e6d5bf8ef58cb765c49cefad56cd41aa8d1f55f921e48a1adfbcccba5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64F6 | 4976 bytes |
font_01_sfnt_off000075d2.bin0ec4b61051e233e9b5820b1b7addc0271998c804440a3e5a0ea8264adac53630 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x75D2 | 10572 bytes |
font_02_sfnt_off000099a5.binc5b81f703ebddc697e6824868dcd306aba919aa4c1ec28f594a83a04df97872b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x99A5 | 16144 bytes |
font_03_sfnt_off0000aea5.bince7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAEA5 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.