MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=carthage+update+platform+ios+command'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, some hosted on Shopify. The presence of a 'low' severity heuristic for a download button lure and a 'high' severity heuristic for a password-protected archive lure suggests a social engineering attempt to trick the user into downloading and opening further malicious content. No scripts were extracted from this sample.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=carthage+update+platform+ios+command
- https://cdn.shopify.com/s/files/1/0430/3867/1010/files/kikizosavitoxetanezukal.pdf
- https://cdn.shopify.com/s/files/1/0428/0903/2863/files/67819149881.pdf
- https://cdn.shopify.com/s/files/1/0428/6211/7023/files/sudosewimadapuvesukes.pdf
- https://cdn.shopify.com/s/files/1/0434/0695/0558/files/72421252279.pdf
- https://cdn.shopify.com/s/files/1/0428/4927/1975/files/3631431984.pdf
- https://static.usrfiles.com/ugd/197ed4_fc947f36521647b886f3e4d5f563668d.pdf
- https://static.usrfiles.com/ugd/68ec51_cd0ce2d0e30b4e0ea0d04e135a721a8f.pdf
- https://static.usrfiles.com/ugd/10a4aa_117f919b74ac4cbb9f17929f1709ef8d.pdf
- https://static.usrfiles.com/ugd/b8c837_8295da48881c428cb93d8b78ba380479.pdf
- https://static.usrfiles.com/ugd/b6bf5b_acd87e452a4e4e87959734d8df095ae4.pdf
- https://static.usrfiles.com/ugd/b8c837_799fc3ec7588419b9818c07b63ee78e6.pdf
- https://static.usrfiles.com/ugd/b5aed9_eb610761aeb940b8bf86617f02a0e0b7.pdf
- https://static.usrfiles.com/ugd/b8c837_cd4141fcf85948148f7b269342f39ab0.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007149.bin5f03d2c6bc08d28d18892b3fd5153044a2fff6aad81dd629dfd07635bf6cf50e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7149 | 2880 bytes |
font_01_sfnt_off00007b86.bin6f498ccdc98ceb9773a81e2ebe7204871bbb1132dc0d56e923e9e57c4c70599e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7B86 | 5476 bytes |
font_02_sfnt_off00008dfc.bina052c28b54c2374881102a4b1db399cd3574fa20b795d2e272b36e080d449ffa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8DFC | 14156 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.