MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a lure related to a 'fake money transfer screenshot' and embeds multiple links. One critical heuristic identifies a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=fake+money+transfer+screenshot', which is likely the primary payload delivery mechanism. Another heuristic indicates a large number of embedded PDF links, with the first being 'https://cdn.shopify.com/s/files/1/0429/0890/9734/files/resistencia_bacteriana_a_los_antibioticos_en_mexico.pdf', suggesting a link farm for SEO poisoning or further distribution.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=fake+money+transfer+screenshot
- https://cdn.shopify.com/s/files/1/0429/0890/9734/files/resistencia_bacteriana_a_los_antibioticos_en_mexico.pdf
- https://cdn.shopify.com/s/files/1/0483/0347/2795/files/46178555641.pdf
- https://cdn.shopify.com/s/files/1/0431/3314/1149/files/bilirrubina_directa_o_conjugada.pdf
- https://cdn.shopify.com/s/files/1/0429/6271/4773/files/74278129990.pdf
- https://cdn.shopify.com/s/files/1/0432/7034/0772/files/dusojemobuligekes.pdf
- https://cdn.shopify.com/s/files/1/0433/4924/6110/files/96028731637.pdf
- https://cdn.shopify.com/s/files/1/0437/6579/2929/files/fallen_order_double_jump.pdf
- https://cdn.shopify.com/s/files/1/0434/0826/1276/files/activity_controls_android.pdf
- https://cdn.shopify.com/s/files/1/0483/5092/0855/files/32380275373.pdf
- https://06be8a48-ccfe-4c2b-8374-0155e5b24acd.filesusr.com/ugd/dcc11b_2f9c129abfa5427092dd817f8cf8955b.pdf?index=true
- https://871fc72a-f691-4ed5-87aa-cfe370e13b0b.filesusr.com/ugd/70e7d4_1e8559f20d0a43b099853ee98852a646.pdf?index=true
- https://ed259c16-2a20-4dbc-9a59-8e416a22ee86.filesusr.com/ugd/bd1fc0_25eeeb674305479ea4d865305b1d47ee.pdf?index=true
- https://89e72339-4073-4a8c-a30f-8c06e723e0f7.filesusr.com/ugd/b13fd1_0d70877499104f8bba05597a6b42b46e.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0429/0890/9734/files/resistencia_bacteriana_a_los_antibioticos_en_
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007f47.bin3b89a1333aa93e194de12c5c5da229a8f3a969ace6b07a90c5323b9ece6747ec |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F47 | 2828 bytes |
font_01_sfnt_off00008942.bin0107782524300629500ab945496fb928af025b859715d4fccb4ab39c4d09b3c1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8942 | 5208 bytes |
font_02_sfnt_off00009add.bin4e6691ba99f904b696ec8b7bcec284a276aab87d2d9c56ff4b848eb9519fcc8f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9ADD | 10980 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.