MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a mass of external links, including one pointing to a known malicious redirector at 'ttraff.club'. The presence of a visual download button lure further suggests a phishing or social engineering attempt. The document body, though heavily obfuscated, contains the malicious URL and references to other PDF files, indicating a link farm designed to obscure the true destination.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=nti+2020+location
- https://cdn.shopify.com/s/files/1/0435/8995/9839/files/firuwulozugorol.pdf
- https://cdn.shopify.com/s/files/1/0435/3739/9960/files/rukogakopigu.pdf
- https://cdn.shopify.com/s/files/1/0432/4917/2635/files/71013114118.pdf
- https://9bb342f7-3c73-4255-8164-a35bcfc9135f.filesusr.com/ugd/c83fdb_53fd62bade3e44e1a8b918fbfe98ce7f.pdf?index=true
- https://4c54670e-2068-445a-aca8-99a58923557b.filesusr.com/ugd/24d943_0e8f1ad193ef4a2a8f3e92cf3187d858.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/1724/8672/files/fiberglass_sheets_for_shower_walls.pdf
- https://cdn.shopify.com/s/files/1/0436/2692/2147/files/gejusupigatizodovovirepis.pdf
- https://cdn.shopify.com/s/files/1/0433/0127/3758/files/fonekovem.pdf
- https://cdn.shopify.com/s/files/1/0435/0830/1989/files/anti_terrorist_rush_mod_apk.pdf
- https://efcc13d5-fa24-4ef5-87e6-8174401c9ec9.filesusr.com/ugd/b1b3ad_932c6200b7c242249136abb5a0685e9d.pdf?index=true
- https://e3ce5a44-8dfa-46f3-ada2-c0dbec932f88.filesusr.com/ugd/7f614e_f9b8eed6ab1440a58c257d853ae545e7.pdf?index=true
- https://ebd8eb62-8a4b-4e8e-bbaf-ccdf81d382ba.filesusr.com/ugd/4c7633_5be2a7fa65f04d05bdbed01a95e164e0.pdf?index=true
- https://ff878c9e-c8ae-46ff-a56a-8d379a180c2f.filesusr.com/ugd/d2759c_08bb7b94988b44b4a71b38c3cf21df8d.pdf?index=true
- https://d15656c8-fd91-4f31-af04-c8bf7443ac8c.filesusr.com/ugd/6f5f23_c8d8d352f9504df793eb85d836319754.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005d05.bin6d790e8122c9e5967eda6e5854556e028a685489cb1ac7a083cd5bd45cdc3363 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5D05 | 4760 bytes |
font_01_sfnt_off00006d4e.bin40fd931dd6bb06328df970a76171b6734eff5771238e9a3b867f078d504b0df6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D4E | 10376 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.