MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.ru, which is part of an advance-fee scam lure. The document body, though heavily obfuscated, contains references to URLs hosted on Shopify and static.usrfiles.com, likely part of a link farm to distribute the scam. The primary attack pattern is social engineering via an advance-fee scam, aiming to trick users into clicking malicious links.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=writing+a+business+report+introduction
- https://cdn.shopify.com/s/files/1/0431/8691/3439/files/22229801075.pdf
- https://cdn.shopify.com/s/files/1/0428/0342/9535/files/32647802271.pdf
- https://cdn.shopify.com/s/files/1/0437/4419/8805/files/36943649834.pdf
- https://cdn.shopify.com/s/files/1/0433/4672/2974/files/the_expanse_caliban_s_war.pdf
- https://static.usrfiles.com/ugd/9b33c5_a57376cd129c4dd58f95995fd5635229.pdf
- https://static.usrfiles.com/ugd/d9d1f5_d8a73e0f21914c10961ee669b645fb9a.pdf
- https://static.usrfiles.com/ugd/82e28d_69469e4f0df141559b4ca34a23535660.pdf
- https://static.usrfiles.com/ugd/565485_683a8bba0da34e4c8b30f943183dee86.pdf
- https://static.usrfiles.com/ugd/3ab5ed_30cd390c480c4ab4bd085a8bbff034be.pdf
- https://cdn.shopify.com/s/files/1/0433/9548/1750/files/gubolavogupetumefud.pdf
- https://cdn.shopify.com/s/files/1/0436/8911/5801/files/nuwomibutiwitapeta.pdf
- https://cdn.shopify.com/s/files/1/0429/2273/7830/files/12078427401.pdf
- https://static.usrfiles.com/ugd/b8c837_de81def0044f4711a94fb8dd501c1da2.pdf
- https://static.usrfiles.com/ugd/b8c837_39b8b4365f7e4d7295fc93e10f219f40.pdf
- https://static.usrfiles.com/ugd/b8c837_a840dfc8ee1247688c43a3f04f392573.pdf
- https://static.usrfiles.com/ugd/de60da_4f93a0319d5f4af68dddf88b87e98650.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006cc4.binf812913617678443c771fc34ec0800ab8fb81aac19f30ad1449803bd480c4123 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CC4 | 5364 bytes |
font_01_sfnt_off00007f17.bin7416d72316eaa3ddda2a60f3ae585d3fd058d770fa9733c295a1057eaeb955a3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F17 | 10224 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.