MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF contains multiple embedded links, with one critical heuristic firing indicating a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the redirector link. Another heuristic indicates a lure to install a browser extension or update, and a callback phishing lure is also present. The primary malicious URL identified is https://ttraff.com/wix?keyword=mr+sawdust+pdf, which is likely used to redirect the user to further malicious content.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=mr+sawdust+pdf
- https://static.usrfiles.com/ugd/b8c837_52c0aabd9ede4b29a95bcca3a3c3fed3.pdf
- https://static.usrfiles.com/ugd/0d002d_2345f36ea3224ad68647eb8edff9e54a.pdf
- https://static.usrfiles.com/ugd/b8c837_4364b02b69644331862740040b39d5e2.pdf
- https://static.usrfiles.com/ugd/8ab72e_67398b8c2ce445a190cb2ab5bb924b10.pdf
- https://static.usrfiles.com/ugd/b8c837_520e0afa70a04556820ab16d798d558c.pdf
- https://static.usrfiles.com/ugd/b8c837_cd5ef37642bc4873ac13c8510e4a1d63.pdf
- https://static.usrfiles.com/ugd/b8c837_f1ecf845b4e84769b685920271feb4ac.pdf
- https://static.usrfiles.com/ugd/b8c837_85fa86e91761456dbce0eb4ed1354b05.pdf
- https://static.usrfiles.com/ugd/b8c837_7512fdf9bc5245d49cfd1570251fa20f.pdf
- https://static.usrfiles.com/ugd/b8c837_2ef4a914d18b43e38ab06a1d212f65a3.pdf
- https://static.usrfiles.com/ugd/b8c837_b7566470a67f4d2f9b2a0e6f8c7a8f65.pdf
- https://static.usrfiles.com/ugd/b8c837_0b583fcf5f8a4e5b88a87041d508d6a0.pdf
- https://cdn.shopify.com/s/files/1/0437/3744/8609/files/5878570962.pdf
- https://cdn.shopify.com/s/files/1/0434/0878/5562/files/2284843555.pdf
- https://cdn.shopify.com/s/files/1/0451/9713/1925/files/check_font_size_in.pdf
- https://cdn.shopify.com/s/files/1/0430/9906/2421/files/nudemameximobebamatuno.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006ea9.binb317a7f4c8c04f25ae2a12de353973d0aa10004d14bcc6eb56b185c907834402 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6EA9 | 5100 bytes |
font_01_sfnt_off00008025.bin5d25a092d99aa8608816d790fe6171386b4a82ab1182c13cef96fe38d0cf1daa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8025 | 10564 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.