MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=christmas+card+ii+font+free'. This indicates a phishing attempt where the document masquerades as a free font download to trick users into visiting a malicious site. The document also contains a large number of embedded URLs, many pointing to static.usrfiles.com, suggesting a link farm or SEO poisoning tactic to improve search engine visibility for the malicious lure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=christmas+card+ii+font+free
- https://static.usrfiles.com/ugd/5e8de6_614dffb66b85406bae53e5c2f0e0bb42.pdf
- https://static.usrfiles.com/ugd/efb3f0_924756f148df4ae4ae10c769bf426509.pdf
- https://static.usrfiles.com/ugd/b8c837_85251ad486794e26b62a980bd3aacaf1.pdf
- https://static.usrfiles.com/ugd/d9d1f5_e18c2ad4f8b34164a7b5a2f369d19ae8.pdf
- https://static.usrfiles.com/ugd/99a8f2_0ad5d42be01446cf9c3c02de87687947.pdf
- https://cdn.shopify.com/s/files/1/0438/9994/5112/files/63508261307.pdf
- https://cdn.shopify.com/s/files/1/0466/7808/1701/files/jenotabukazakumunavatulux.pdf
- https://cdn.shopify.com/s/files/1/0436/1850/0765/files/expedient_homemade_firearms_vol_2.pdf
- https://cdn.shopify.com/s/files/1/0430/3588/5721/files/saunders_nclex_study_guide.pdf
- https://static.usrfiles.com/ugd/b8c837_b5cb405eec374da292893a431cdc0498.pdf
- https://static.usrfiles.com/ugd/e02969_93f38ca6d8464a9c8727c0550c65fdbf.pdf
- https://static.usrfiles.com/ugd/4c76bf_61748fab206f46bdbf03ef6792174ac2.pdf
- https://static.usrfiles.com/ugd/a382ee_230d5574756d4947b3bc25afe229a115.pdf
- https://static.usrfiles.com/ugd/917232_37b70e275d40403c9bffe07767dcd61c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000071c0.bin8855382361ffbb19adb1faec000283a330d3147b7d95231264f032d26cae5d85 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x71C0 | 5132 bytes |
font_01_sfnt_off000082f4.bin63e783c03da57879afb775159473c506eb962ef38e1d93fd37c9511de6b0a0ad |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x82F4 | 2132 bytes |
font_02_sfnt_off00008cb1.binf3af67f47f438167f71e939b879be590e2305a4c91d9b854820834b34e4d9f9e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8CB1 | 16436 bytes |
font_03_sfnt_off0000bf77.binbf8f9ece8d9d74ce2d7a98a07ee1bb8f4056faf702b3b1702118181e85f1b939 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBF77 | 16312 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.