MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains a malicious redirector link and a large number of external PDF links, suggesting a link farm or redirection attempt. The presence of a 'Payment redirection / bank-detail change lure' heuristic indicates a likely business-email-compromise pattern. The document body contains the URL https://ttraff.club/wix?keyword=outlook+2016++offline+address+book, which is flagged as a malicious redirector. This suggests the document is designed to trick users into clicking the link, potentially leading to credential theft or malware download.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LUREDocument describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=outlook+2016++offline+address+book
- https://static.usrfiles.com/ugd/4c3d6a_a9ced500504549a7a0bf5cf1c079e545.pdf
- https://static.usrfiles.com/ugd/b8c837_a4890c9367ed4286b258432db1866d38.pdf
- https://static.usrfiles.com/ugd/b8c837_f4f5f3787226410ea63105508b12721c.pdf
- https://static.usrfiles.com/ugd/dd4472_c0631935f1ca4190adcb17b6344a3ba9.pdf
- https://static.usrfiles.com/ugd/c83fdb_c479c584246a4fa4b9d50c05d9ca4bea.pdf
- https://static.usrfiles.com/ugd/2486b5_915c9039c9214b248d53d2ceab0ad062.pdf
- https://cdn.shopify.com/s/files/1/0434/3427/9062/files/formgroup_addcontrol_example.pdf
- https://cdn.shopify.com/s/files/1/0435/4323/2661/files/all_synonyms_words_list.pdf
- https://static.usrfiles.com/ugd/e2c250_fb0fa63849754854b687964a52d9acbd.pdf
- https://static.usrfiles.com/ugd/4d400c_8df11f426222487aad9e9a01a704758a.pdf
- https://static.usrfiles.com/ugd/469aea_86ade294174a4bd1a1daeced6b6fe7f8.pdf
- https://static.usrfiles.com/ugd/f0e51d_54417304b83f42d88d97516dbbf9e224.pdf
- https://static.usrfiles.com/ugd/3b47cb_c46c2ef6333340c19a441ce844cb620a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006306.bined83c02390e38fd023458ae725a2483e3be2beb717d3d093c93d723b2cb1f820 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6306 | 5612 bytes |
font_01_sfnt_off00007629.bin7711b47173b8c6212de8409c6e27a45be39fd8dfdec8f62ef388b12be96ec761 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7629 | 10420 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.