MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 User Execution: Malicious Link
The PDF contains a malicious redirector link pointing to 'https://ttraff.com/wb?keyword=logiciel%20gratuit%20conversion%20pdf%20vers%20word', which is flagged as malicious. Additionally, it features a link farm of 13 PDF links hosted on Shopify, with one pointing to 'https://cdn.shopify.com/s/files/1/0431/6738/3712/files/37519125954.pdf'. The presence of a visual download button lure further supports a social engineering attack. The document body, though heavily obfuscated, contains the primary malicious URL.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=logiciel%20gratuit%20conversion%20pdf%20vers%20word
- http://files.creeksidepto.com/uploads/1/3/1/3/131380292/bddd4a0a7731ad.pdf
- http://files.esaetapi.org/uploads/1/3/1/4/131453109/wikovuxanujezo-nerufasinifazew-gaxiwaw-kajawevafuzax.pdf
- http://files.v-list.org/uploads/1/3/2/8/132815220/4946318.pdf
- https://cdn.shopify.com/s/files/1/0431/6738/3712/files/37519125954.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/visaboxe.pdf
- https://cdn.shopify.com/s/files/1/0428/1804/4063/files/rososotijakipipaxotegorux.pdf
- https://cdn.shopify.com/s/files/1/0433/4462/5822/files/historia_del_derecho_jorge_basadre.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/99781003244.pdf
- https://cdn.shopify.com/s/files/1/0434/6085/3912/files/10206005592.pdf
- https://cdn.shopify.com/s/files/1/0432/1322/6139/files/apology_of_socrates.pdf
- https://cdn.shopify.com/s/files/1/0435/3936/6047/files/2541805471.pdf
- https://cdn.shopify.com/s/files/1/0435/6761/2067/files/rerukifexafit.pdf
- https://cdn.shopify.com/s/files/1/0449/9764/0360/files/the_legend_of_zelda_ocarina_of_time_strategy_guide.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004831.bin5c9b29f262dd37fc1579628c95f6d346bc6407a1c4740f7eae20e5955b4c4c64 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4831 | 5416 bytes |
font_01_sfnt_off00005ac3.bina0332767978bbe8b1fc9abc2a5bdfbeb41d7c0dd04be4bcc323d7af011db55e5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5AC3 | 10064 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.