MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=oracle+java+6++archive'. This URL is likely intended to lead the user to a malicious download or exploit. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further suggests a lure to trick the user into clicking the link. The document body, though heavily obfuscated, contains the same malicious URL and a large number of other PDF links, many hosted on Shopify and static.usrfiles.com, indicating a link farm designed to obscure the final destination.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=oracle+java+6++archive
- https://cdn.shopify.com/s/files/1/0461/7542/0579/files/gasavuvijezosotutogibir.pdf
- https://cdn.shopify.com/s/files/1/0438/0504/8994/files/83012605594.pdf
- https://cdn.shopify.com/s/files/1/0434/2090/9733/files/80721704705.pdf
- https://static.usrfiles.com/ugd/fb83f1_82b7d7df6c4844b698381f91cb9dd5ad.pdf
- https://static.usrfiles.com/ugd/c12414_722c422ec2194de991af198a7ef3ea3e.pdf
- https://static.usrfiles.com/ugd/b8c837_81d893d104914a2687a9c730930d7f40.pdf
- https://static.usrfiles.com/ugd/ed64d2_aa9c0fa9b0b64e26b48048c49d646ba2.pdf
- https://static.usrfiles.com/ugd/b8c837_621424b95c80457fa38de0bc782c28aa.pdf
- https://static.usrfiles.com/ugd/0d9a50_c4d6995e441f4b5082bcf857a98f0199.pdf
- https://static.usrfiles.com/ugd/fe83c3_9a9e225f7e7a44e287d9d6a43feee196.pdf
- https://static.usrfiles.com/ugd/36f25b_6cfc4568164d434f870a14254c27a5ec.pdf
- https://static.usrfiles.com/ugd/451a43_477bb19724914158be4dd6c7c475a8f1.pdf
- https://static.usrfiles.com/ugd/2f7815_2bf52c2d74274dbbb2f32d8f88a8d029.pdf
- https://static.usrfiles.com/ugd/e1d12c_121a8fb56cf144508547ebf5d818c1cb.pdf
- https://static.usrfiles.com/ugd/97aff7_596dcd4d48ab4086bdc6df4c5fae5810.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000064a8.binc0eb139630ee3c1c0e9b61d3256831296f61cc5188bc0827eae40252eda00ebb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64A8 | 4516 bytes |
font_01_sfnt_off00007410.bin014e9b04d6a44cb86f5f42250b017b8a1da6dac6c36c6320d3c799a4a803de94 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7410 | 11256 bytes |
font_02_sfnt_off00009952.bin7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9952 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.