MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1598.001 URL Discovery: Phishing For Information
The PDF contains a large number of embedded links, many pointing to what appears to be a link farm designed for SEO manipulation. One critical heuristic indicates a direct link to a known malicious redirector at 'https://ttraff.ru/wix?keyword=gold+pants+mii+qr+codes'. The document body, though heavily obfuscated, also contains this URL and other PDF links. The presence of a QR code lure heuristic further suggests a phishing or redirection attempt.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
QR-code redirect lure medium SE_QR_LUREDocument instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=gold+pants+mii+qr+codes
- https://cdn.shopify.com/s/files/1/0435/2973/2248/files/kigugi.pdf
- https://cdn.shopify.com/s/files/1/0433/7192/1571/files/59272132816.pdf
- https://cdn.shopify.com/s/files/1/0434/4204/5090/files/adobe_for_macbook_pro.pdf
- https://static.usrfiles.com/ugd/b8c837_2986a01e740a42bebdd0852c6651dd67.pdf
- https://static.usrfiles.com/ugd/c068f8_f283093d8e12417faef9892331e4074a.pdf
- https://static.usrfiles.com/ugd/362633_c5f2675e73ae44a6aee4fc6c988d5a6d.pdf
- https://static.usrfiles.com/ugd/b8c837_c6913ae6bdec4ea0aebe9d4c3286ee4c.pdf
- https://static.usrfiles.com/ugd/ecec20_5e79256920ac4cf9aa5028e2ddb00180.pdf
- https://static.usrfiles.com/ugd/136d07_6b6b576c80a14b8e9f9f184d60a072ff.pdf
- https://static.usrfiles.com/ugd/a4e402_fd784d8c9072404a9d091da4953045f1.pdf
- https://static.usrfiles.com/ugd/b8c837_f702f7ca07b3449f80b3d98b7fa04ab3.pdf
- https://static.usrfiles.com/ugd/b8c837_d3e1e33ee8e147dd8f8349ff164afa72.pdf
- https://static.usrfiles.com/ugd/b8c837_b5454b90080f4979982861724bee7770.pdf
- https://static.usrfiles.com/ugd/ba3095_be291474d9bb4311a367da6b0fa038c6.pdf
- https://static.usrfiles.com/ugd/b8c837_c73b640a1b314033a10e4d1afbca21dc.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off00009731.bin88f6dde65e4bd5a749649ba906927c11ae45dab326b92918b6e6817f41f93725 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x9731 | 18544 bytes |
font_00_sfnt_off000061bf.bine740d4fec85e898efffbe710836011d13074c7f9536cf842721e51e333a0dc63 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x61BF | 5376 bytes |
font_01_sfnt_off000073f1.bin37f18c74fa9c2c57a8bc6f88ba40bea95cf1258271342f46a666f237e574c775 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x73F1 | 10412 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.