MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.001 Malicious Link
The PDF contains multiple heuristics indicating malicious redirection and a link farm, with a primary malicious redirector URL identified. The document body, though heavily obfuscated, contains a reference to the malicious URL. The presence of urgency and callback lures suggests a phishing or scam attempt. The primary malicious IOC is the ttraff.cc redirector, which likely leads to a further stage of the attack.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=probability+and+statistics+for+data+science+matloff+pdf
- http://files.tenstringedlyre.com/uploads/1/3/1/4/131406717/fcd62e2f03f1f76.pdf
- http://files.chasebutlerblog.com/uploads/1/3/1/4/131407469/1493004b.pdf
- http://files.emilysasia.com/uploads/1/3/1/4/131454286/zoxunutakava.pdf
- https://cdn.shopify.com/s/files/1/0440/8170/9206/files/43439816437.pdf
- https://cdn.shopify.com/s/files/1/0435/8461/8653/files/84637323527.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/98559129476.pdf
- https://cdn.shopify.com/s/files/1/0432/4045/6360/files/94905752364.pdf
- https://cdn.shopify.com/s/files/1/0429/9236/9823/files/partial_differentiation_chain_rule.pdf
- https://cdn.shopify.com/s/files/1/0432/8410/3332/files/543885728.pdf
- https://cdn.shopify.com/s/files/1/0433/2758/6472/files/notebook_paper_wide_ruled.pdf
- https://cdn.shopify.com/s/files/1/0433/5802/7928/files/sidiliwoboberonipivusutuz.pdf
- https://cdn.shopify.com/s/files/1/0430/7006/2754/files/rixaxedofudawiwepevixo.pdf
- https://cdn.shopify.com/s/files/1/0446/3670/0835/files/couper_gratuit.pdf
- https://cdn.shopify.com/s/files/1/0430/9316/4199/files/72184543948.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00019fb8.bin30716cac4ad6f7d8af5266cba8cc3c1b6a7f85f91497b393e46c6f4c199a83f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19FB8 | 5544 bytes |
font_01_sfnt_off0001b27f.binfc839c7be78ae0f8e52545f3fbd1bd0bf5662edca30d145de1574c212b4c3f02 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B27F | 15160 bytes |
font_02_sfnt_off0001e2d8.binebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1E2D8 | 16164 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.