MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a lure related to 'how to become a forex trader' and includes a critical heuristic firing for a malicious redirector link. The document also exhibits characteristics of an advance-fee scam, with multiple embedded URLs pointing to what appears to be a link farm. The primary malicious URL is https://ttraff.com/pify?keyword=how+to+become+a+forex+trader+pdf, which likely leads to a fraudulent scheme.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=how+to+become+a+forex+trader+pdf
- http://files.chameliramachandran.com/uploads/1/3/1/4/131453904/685509.pdf
- http://files.dreamamazingtravel.com/uploads/1/3/1/3/131384127/f4a3f44687.pdf
- http://files.teshekpuklake.com/uploads/1/3/1/3/131380279/6589ba3531540a.pdf
- http://files.ayalife.org/uploads/1/3/1/4/131437172/d2abc3ba1c1a2.pdf
- http://files.creditriskanalytics.net/uploads/1/3/1/6/131637325/3748591.pdf
- https://cdn.shopify.com/s/files/1/0434/2376/0536/files/texasojebe.pdf
- https://cdn.shopify.com/s/files/1/0437/4410/0506/files/50277587731.pdf
- https://cdn.shopify.com/s/files/1/0431/4470/8245/files/finuriwu.pdf
- https://cdn.shopify.com/s/files/1/0432/9183/6566/files/fodororinu.pdf
- https://cdn.shopify.com/s/files/1/0429/3810/6023/files/rozazefenamuwo.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/2857609843.pdf
- https://cdn.shopify.com/s/files/1/0431/6246/8516/files/79342418338.pdf
- https://cdn.shopify.com/s/files/1/0433/2394/9224/files/57456584659.pdf
- https://cdn.shopify.com/s/files/1/0429/0392/8991/files/apc_back_ups_xs_1000_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/2884/8538/files/mugozenujefosubuga.pdf
- https://cdn.shopify.com/s/files/1/0434/1117/7639/files/reverse_a_linked_list_recursively.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000758d.bin406404524c2821e1408aa31419d78e6d07ec75a79fff3f7808c5554f369f4f86 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x758D | 5352 bytes |
font_01_sfnt_off000087b9.bin5b7ec0b2c5197121720adf91884c331700791ed2fe088a0628d3a7883db16f7b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x87B9 | 10652 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.