MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 User Execution: Malicious File
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1566.002 Phishing: Spearphishing Attachment
The PDF file contains multiple embedded links, with one pointing to a known malicious redirector. Heuristics indicate a 'ClickFix' social engineering attack, instructing the user to copy/paste commands into a terminal. This suggests the document's primary purpose is to trick the user into executing a malicious command, likely to download and run a second-stage payload from the identified redirector URL.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=install+aacs+dynamic+library+for+vlc
- https://static.usrfiles.com/ugd/5899d5_0d44afabadbd4e8caac421904cb95588.pdf
- https://static.usrfiles.com/ugd/b8c837_9056e75d50ba42f3a527535cb03f9f28.pdf
- https://static.usrfiles.com/ugd/58a813_62d5103a4880413b8ec91ec874ed33ab.pdf
- https://cdn.shopify.com/s/files/1/0432/9917/6612/files/58160811902.pdf
- https://cdn.shopify.com/s/files/1/0435/1901/7124/files/pirulekokamuruwepatu.pdf
- https://cdn.shopify.com/s/files/1/0431/7039/8357/files/16049735829.pdf
- https://static.usrfiles.com/ugd/6c98bc_f682208688d94a83b3910254302e6a81.pdf
- https://static.usrfiles.com/ugd/c4ccc4_203df73910d143609c64b0a4da152550.pdf
- https://static.usrfiles.com/ugd/067ecb_ab1bd992b48b45e1aaebb2e313493b08.pdf
- https://static.usrfiles.com/ugd/06497e_bd2589722c9e4cb88145b2e2ccd261d7.pdf
- https://static.usrfiles.com/ugd/b8c837_f86c7c490be2418584e3af20be53b190.pdf
- https://static.usrfiles.com/ugd/b8c837_681d5d5fb3eb4682a5c791d1f1f60db0.pdf
- https://static.usrfiles.com/ugd/ace02d_e5ec3842a3e942a9b97f2e3c2f77bb6c.pdf
- https://static.usrfiles.com/ugd/73cb9e_f201b127be7a4acbac115e684c902ef1.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005ee7.bin11442869f35dd9b58a79e347bc17c4ac0e62120b743e9f5e1f81f0eedbb47fb5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5EE7 | 5076 bytes |
font_01_sfnt_off00007002.bindd20b325ebee8486c93927e437086ffa1ca68ad5f298fbdf61ab28e0b4f482f6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7002 | 10312 bytes |
font_02_sfnt_off0000933e.bind1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x933E | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.