MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains multiple embedded links, with one heuristic specifically identifying a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the text 'Unique employee spotlight questions' and the URL 'https://ttraff.me/wix?keyword=unique+employee+spotlight+questions', suggesting a lure to a malicious site. Another heuristic indicates a link farm, with the primary link pointing to a PDF hosted on Shopify. The presence of a 'download button' heuristic further supports the malicious intent of directing users to external content.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=unique+employee+spotlight+questions
- https://cdn.shopify.com/s/files/1/0431/4929/5776/files/zeromusidux.pdf
- https://cdn.shopify.com/s/files/1/0436/0372/2398/files/76330725056.pdf
- https://cdn.shopify.com/s/files/1/0432/1935/3767/files/any_video_converter_full_crack_kuyhaa.pdf
- https://cdn.shopify.com/s/files/1/0429/1880/5657/files/1879537449.pdf
- https://019e0151-fdc4-494c-b4a0-1e5aaf7a7cfc.filesusr.com/ugd/b148e5_ba5731a52f6243d6a4300206ae47b299.pdf?index=true
- https://509fd86f-60b0-4fb3-95ae-86ff09cb6fe1.filesusr.com/ugd/33ab24_f166369786474aaaa5603a92914f16e6.pdf?index=true
- https://e5d26cc6-bb33-420e-93c2-7df214f2b041.filesusr.com/ugd/162fe6_0932cb3d09924936ab9c2dafbc90e65b.pdf?index=true
- https://840e8f32-7cdd-443c-9242-7ff29ab5ab1f.filesusr.com/ugd/430cb2_4f5ed23636e04c1dbf66e84ce01e50af.pdf?index=true
- https://21f027f9-b5f7-4470-9fef-8ec77d8d1f55.filesusr.com/ugd/d5415a_024ee92748c24a698d0de5e0da0a4a05.pdf?index=true
- https://11c6ea5d-df3c-4bab-864a-dd7e94a1f9ec.filesusr.com/ugd/29c71c_e9b89859ec80463c9c9fc82c20f1df6d.pdf?index=true
- https://cdn.shopify.com/s/files/1/0434/4823/8241/files/online_bus_ticket_booking_project_in_android.pdf
- https://cdn.shopify.com/s/files/1/0430/5502/2234/files/rc_plane_magazine.pdf
- https://cdn.shopify.com/s/files/1/0433/7362/5500/files/animes_orion_apk_ios.pdf
- https://cdn.shopify.com/s/files/1/0428/5884/0223/files/fajalufurigatabikuliso.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f73.binc66b0cbbf044d04810614c0d727b79eaaaff5c52649923e29f38ff738e2547f7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F73 | 5148 bytes |
font_01_sfnt_off000080db.bin62d97fd97bcde33ca4fed44b0e0203e3baf4acccfeb6204a59affe575d1dce9d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x80DB | 10540 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.