MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=sap+bw+s%252F4hana'. Additionally, it exhibits a PDF link farm behavior, embedding numerous external links. The document body, though heavily obfuscated, contains references to the malicious URL and other URLs hosted on shopify.com and static.usrfiles.com, suggesting a lure to external content. The primary attack vector appears to be redirecting users to malicious infrastructure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=sap+bw+s%252F4hana
- https://cdn.shopify.com/s/files/1/0438/8601/8712/files/learn_japanese_free_download.pdf
- https://cdn.shopify.com/s/files/1/0432/8295/6443/files/rigenetelamogigazigapi.pdf
- https://cdn.shopify.com/s/files/1/0465/0257/6286/files/cxc_integrated_science_past_papers_and_answers.pdf
- https://static.usrfiles.com/ugd/253000_189e248b15b94a06ab80fba52eb5f1de.pdf
- https://static.usrfiles.com/ugd/b8c837_c2577de5a0e44cbc9f981bb7adcfa6f2.pdf
- https://static.usrfiles.com/ugd/455f95_a3e8e7de63184e69a2aef1802a64e513.pdf
- https://static.usrfiles.com/ugd/f8de3e_45991ebbb29b4587be2bac1bc9ed338c.pdf
- https://static.usrfiles.com/ugd/b8c837_feb20dc2e5cb48c98352e4bb12045cdb.pdf
- https://static.usrfiles.com/ugd/b8c837_64e5bb49698a4c9bad2780874bc10da0.pdf
- https://static.usrfiles.com/ugd/735189_d045c35209754ad2a21aea67864e9ea9.pdf
- https://static.usrfiles.com/ugd/db1da1_3a0ff1ef6e054eb492ee95532270c193.pdf
- https://static.usrfiles.com/ugd/b48b60_06d0f7db95c2445ca78a2d42133bc1bb.pdf
- https://static.usrfiles.com/ugd/704566_76dcefba6f2e49eeb1d5f3a9bbe57fca.pdf
- https://cdn.shopify.com/s/files/1/0428/9655/6191/files/mekowewitofevosexob.pdf
- https://cdn.shopify.com/s/files/1/0434/3798/1852/files/u_bahn_berlin_map.pdf
- https://cdn.shopify.com/s/files/1/0433/0127/3750/files/samba_employee_benevolent_fund_enrollment_form.pdf
- https://cdn.shopify.com/s/files/1/0433/3151/8622/files/rovisosimimuzekumasizut.pdf
- https://cdn.shopify.com/s/files/1/0433/3446/7752/files/67022457095.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000066a8.bin6ababa91d92ac82ad0866e7130cde067a901b56b3e5aa14b793921315f5d4a69 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66A8 | 5240 bytes |
font_01_sfnt_off00007891.bin69a53bd3d2cb32701c39376184df58a1e5423d015edff597a5210a105cced0c8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7891 | 10472 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.