MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a lure referencing a corporate annual report, designed to entice users to click on embedded links. One such link, 'https://ttraff.me/pify?keyword=laing+o%2527+rourke+corporation+limited+annual+report', points to a known malicious redirector. The document also contains a mass of external PDF links, many hosted on Shopify, likely for SEO manipulation or to obscure the malicious redirector. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/pify?keyword=laing+o%2527+rourke+corporation+limited+annual+report
- https://cdn.shopify.com/s/files/1/0430/8621/7365/files/38748365846.pdf
- https://cdn.shopify.com/s/files/1/0427/4031/8375/files/wokajadamo.pdf
- https://cdn.shopify.com/s/files/1/0434/5892/0610/files/bible_malayalam.pdf
- https://cdn.shopify.com/s/files/1/0464/1603/6008/files/26294044488.pdf
- https://cdn.shopify.com/s/files/1/0433/8896/0933/files/mixek.pdf
- https://cdn.shopify.com/s/files/1/0428/0595/2671/files/zujuliviximipinoz.pdf
- https://cdn.shopify.com/s/files/1/0429/6769/5511/files/uncle_murda_ft_young_ma.pdf
- https://cdn.shopify.com/s/files/1/0435/0771/2155/files/jurafuz.pdf
- https://cdn.shopify.com/s/files/1/0440/7279/6310/files/29029969848.pdf
- https://cdn.shopify.com/s/files/1/0434/6498/2693/files/tekizugizuxupenewub.pdf
- https://cdn.shopify.com/s/files/1/0431/0056/9751/files/boxuvesom.pdf
- https://static.usrfiles.com/ugd/0a052f_6c93dc17c32742568d7e85c736a02195.pdf
- https://static.usrfiles.com/ugd/b8c837_4afe074db90c414882ada8697861c3ba.pdf
- https://static.usrfiles.com/ugd/cafc24_0f56f1e8fcfe41a3807376ecffac52d8.pdf
- https://static.usrfiles.com/ugd/fb5067_5d4b357b83f14198bb2699bf8d4fb6ae.pdf
- https://static.usrfiles.com/ugd/b910ae_206e0e9866b84df2bb2d293c466d1efb.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006c14.bincd0713a821a54874377fcb35ed8f35b4359d92323d509d0967f92a7ddd4b55e2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6C14 | 5256 bytes |
font_01_sfnt_off00007df0.bin2ff9a9482acfff3f5caa95362d86883d0652df04c2c3d88701a80ec6cdfdafb4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7DF0 | 10536 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.