MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=tca+tattoo+removal+results'. This URL is presented within the document body, suggesting a social engineering lure related to 'tca tattoo removal results'. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify. The primary malicious URL is likely intended to redirect the user to a phishing or malware distribution site.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=tca+tattoo+removal+results
- https://cdn.shopify.com/s/files/1/0444/6827/3319/files/basics_of_c_programing.pdf
- https://cdn.shopify.com/s/files/1/0428/9927/5935/files/jorotapudulum.pdf
- https://cdn.shopify.com/s/files/1/0433/5576/6942/files/essential_words_for_the_ielts_2nd_edition.pdf
- https://cdn.shopify.com/s/files/1/0434/2251/5351/files/crest_high_school_north_carolina.pdf
- https://28253293-4598-422b-89d0-55fac3f39dd2.filesusr.com/ugd/911c12_7d2a71eb9db64be28d43c344f63312ce.pdf?index=true
- https://81cd5016-7b39-4344-8088-159db44858c2.filesusr.com/ugd/debdc1_20edf29b82fd4fdbb1c8e9b717b59a21.pdf?index=true
- https://6e9d004e-55df-445b-af38-5c47361f8be2.filesusr.com/ugd/405339_8fef814695294250b054b0db4a939fff.pdf?index=true
- https://4ccaeaeb-9ac9-4a30-ac5c-f16d1f738bf5.filesusr.com/ugd/97aff7_b0dde029214d4b40861029124ec937f7.pdf?index=true
- https://73a5498f-e810-4e0d-9611-f1f885ae5fc5.filesusr.com/ugd/4a2613_dffc27c36be545bd8757e7a692cb2613.pdf?index=true
- https://cdn.shopify.com/s/files/1/0434/6707/9830/files/winrar_latest_version_pc.pdf
- https://cdn.shopify.com/s/files/1/0452/1220/5216/files/cash_book_definition.pdf
- https://52188af0-2110-470f-af15-db7c344facc7.filesusr.com/ugd/c8683e_812eb97a109f44fd8a2c375a7a62056b.pdf?index=true
- https://606989d4-2f64-4857-82a0-b6206a4898ff.filesusr.com/ugd/5aec95_c03341dfc31d431a9cd35f0526bce8fb.pdf?index=true
- https://848d01a7-9299-4723-bbbc-7c5b08bc5005.filesusr.com/ugd/3f2390_0c2424440bf34c2a8fd4bc5f9a9c4d2f.pdf?index=true
- https://bdec68de-d4d8-43c9-8b48-d07585578a32.filesusr.com/ugd/ee9d3f_d5d597ebeda14e25a17fd47bb70d75c7.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://81cd5016-7b39-4344-8088-159db44858c2.filesusr.com/ugd/debdc1_20edf29b82fd4fdbb1c8e9b717b59a21
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008d36.binf1c2f71d6491c1cae6342e2d39b33f4ef21c0727c7eace36da36efc9d67495eb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D36 | 4952 bytes |
font_01_sfnt_off00009dfc.binaf554373b1da2aa48035eae6f882d638dfbd8a23f7b561e9273f78aba2fb9d87 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9DFC | 11148 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.