MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a link to a known malicious redirector, ttraff.ru, which is likely intended to lead the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains the same URL and references to 'android button onclicklistener new intent', suggesting a lure related to software development or technical topics. The presence of a large number of embedded PDF links, many pointing to static.usrfiles.com, indicates a link farm strategy to potentially improve search engine ranking or distribute content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=android+button+onclicklistener+new+intent
- https://static.usrfiles.com/ugd/61f964_3b22ba66399b4eab8c0ef03d2099e655.pdf
- https://static.usrfiles.com/ugd/de65f7_24ce9ff76e834d479cf98c9a3d783359.pdf
- https://static.usrfiles.com/ugd/3eed2b_71bba1fea15147508bb7644d3ba6f1c4.pdf
- https://static.usrfiles.com/ugd/451461_dd3a34df772a41aa9727b4653d3cf8a9.pdf
- https://cdn.shopify.com/s/files/1/0461/1997/7124/files/42231793826.pdf
- https://static.usrfiles.com/ugd/ff2e72_56843ab1f7274a87a75ce1d9eed03631.pdf
- https://static.usrfiles.com/ugd/b8c837_3ead4e8c8306479ab4a774814528b582.pdf
- https://static.usrfiles.com/ugd/1c8c6c_df4dc91d85204ad4a94c8a95d2645516.pdf
- https://static.usrfiles.com/ugd/b8c837_f5b1d4ade9bb4405915c7c4c70ea93ad.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mojarugalemidim.pdf
- https://cdn.shopify.com/s/files/1/0437/1569/0650/files/terapia_epigenetica.pdf
- https://cdn.shopify.com/s/files/1/0429/2041/1289/files/goanimate_bring_back_lil_petz.pdf
- https://cdn.shopify.com/s/files/1/0433/0507/4838/files/pogajolo.pdf
- https://cdn.shopify.com/s/files/1/0427/4618/3847/files/spoken_english_book_in_marathi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000637e.binadeb5398e0c39ccd18aec96a61ddfdab4e19c954d77e223b20d4c06a7238197a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x637E | 4888 bytes |
font_01_sfnt_off00007432.binb902766247d9063ac29ef56ea84a593177e7341e73bf26e8494aae450755c2f5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7432 | 10980 bytes |
font_02_sfnt_off000099ff.bin867fd276a12397c4e9cf6579dce5e07e5ba80c6769d60c08053fe2abc7b8f701 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x99FF | 16352 bytes |
font_03_sfnt_off0000af89.bin7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAF89 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.