MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised with a lure for "free gems". The document also contains a mass of external PDF links, many pointing to static.usrfiles.com, suggesting a link farm or SEO poisoning attempt to drive traffic to malicious sites. The presence of a visual download button further supports a social engineering lure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=free+gems+for+hungry+shark
- https://static.usrfiles.com/ugd/b8c837_d9843def85c248e6a25c0dfb447b3b62.pdf
- https://static.usrfiles.com/ugd/b8c837_d8e06fc5fe7142e8833420b4b276a4ec.pdf
- https://static.usrfiles.com/ugd/b8c837_6f15608759e54404a0a0ecd47c394b6b.pdf
- https://static.usrfiles.com/ugd/b8c837_43cfc2a5113842e4b04da51788aeff86.pdf
- https://cdn.shopify.com/s/files/1/0431/9304/1053/files/tedanidanajek.pdf
- https://cdn.shopify.com/s/files/1/0435/8491/3565/files/4410139601.pdf
- https://cdn.shopify.com/s/files/1/0429/8860/1503/files/davuroxiwomemelegefilavim.pdf
- https://static.usrfiles.com/ugd/b8c837_f4bf6b409ea74fed8cf0887e40321912.pdf
- https://static.usrfiles.com/ugd/b8c837_e60d38d172564e7582d1c6a0d27d4e02.pdf
- https://static.usrfiles.com/ugd/b8c837_855f772ebb2943a78ef9bfa6a3b7f4fb.pdf
- https://static.usrfiles.com/ugd/b8c837_a7318f5f86d74ce6b90b071dcefc3fb6.pdf
- https://static.usrfiles.com/ugd/b8c837_6107227752f744bc9b6093a3d5bc7f42.pdf
- https://static.usrfiles.com/ugd/b8c837_115ae9c193484922906247c9ee7ae7dc.pdf
- https://static.usrfiles.com/ugd/b8c837_6d963c41c3254c718a19e9826dba365e.pdf
- https://static.usrfiles.com/ugd/b8c837_fb0b068f3bd44d729797f132ed3b1342.pdf
- https://static.usrfiles.com/ugd/b8c837_7d9c1b7c5fdc412f8793aac7ea0c75cd.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006698.bin0d06f64e17e6db1c369937d7e14a89ff11e7460139d608023e10ce00f5ad606f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6698 | 5268 bytes |
font_01_sfnt_off00007871.bindf547a6b35a85ad0ddc77d90e0c389a16f099529b9e74e570bc9284c1674f5bc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7871 | 10384 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.