MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.com, which is likely used to obscure the final destination of the malicious payload. The document also exhibits characteristics of a link farm, with numerous embedded URLs pointing to various PDF files, suggesting an attempt to manipulate search engine results or distribute malware through a large number of seemingly benign documents. No scripts were extracted from this sample, but the presence of the malicious redirector and the link farm structure strongly indicate a phishing or malware distribution attempt.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=canon+in+d+easy+piano+sheet+pdf
- http://files.cooksgourmet.com/uploads/1/3/1/6/131606965/13be2e.pdf
- http://files.chefleslieann.com/uploads/1/3/1/8/131871424/mokezobazuluparuri.pdf
- http://files.ahs-bully-blockers.org/uploads/1/3/2/3/132303219/lawaja_tofagaripobov_renadexarif_pebowi.pdf
- http://bijoguse.bigbadbearband.com/uploads/1/3/0/9/130969747/gegavok-kigikumabadinif-viwusete-lavuvufawofavu.pdf
- http://kijal.pcac100daysandnights.org/uploads/1/3/0/8/130814252/saganir.pdf
- https://cdn.shopify.com/s/files/1/0434/8814/9668/files/xesewenev.pdf
- https://cdn.shopify.com/s/files/1/0434/6871/8242/files/dukuvogekotusinusokep.pdf
- https://cdn.shopify.com/s/files/1/0435/5024/5028/files/zijuzele.pdf
- https://cdn.shopify.com/s/files/1/0431/4516/7008/files/nusogud.pdf
- https://cdn.shopify.com/s/files/1/0439/3893/9048/files/free_avast_antivirus_full_version_bagas31.pdf
- https://cdn.shopify.com/s/files/1/0430/2998/7489/files/72724775086.pdf
- https://cdn.shopify.com/s/files/1/0437/6641/5514/files/13167107627.pdf
- https://cdn.shopify.com/s/files/1/0436/0581/9555/files/wobosatep.pdf
- https://cdn.shopify.com/s/files/1/0434/7196/2265/files/42218634130.pdf
- https://cdn.shopify.com/s/files/1/0435/6397/4805/files/43716184322.pdf
- https://cdn.shopify.com/s/files/1/0430/6108/4322/files/agriculture_dictionary_download.pdf
- https://cdn.shopify.com/s/files/1/0434/8716/6628/files/43555180572.pdf
- https://cdn.shopify.com/s/files/1/0430/5528/4378/files/dosav.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000066ca.bina4bd03cea88894b68f2af5ad02d329ae7f54f2b224329ca6c8fef478dc7c64ce |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66CA | 5008 bytes |
font_01_sfnt_off000077de.bin1ffe82f6138b13fb8c05e060dbfefb8df84941cf658cf4bc4e1584dbef54491b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x77DE | 10600 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.