MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.club'. The document body, though heavily obfuscated, contains text that appears to be a lure for a monthly PDF, likely to trick the user into clicking the malicious link. The PDF also contains a large number of external links, many pointing to 'static.usrfiles.com', which is flagged as a link farm. The primary malicious IOC is the redirector URL.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=affairscloud+monthly+pdf+june+2019
- https://static.usrfiles.com/ugd/fbccce_f20105ad6038449e8c233740ad89ae26.pdf
- https://static.usrfiles.com/ugd/defdb4_1e4d32e8e79f43e190a26d9b05a9f92e.pdf
- https://static.usrfiles.com/ugd/565485_3aab237f19584c10bf4407c7c57e3a05.pdf
- https://static.usrfiles.com/ugd/b8c837_e340b4e0341b4c08a2f918c0e687e228.pdf
- https://cdn.shopify.com/s/files/1/0432/3622/9277/files/semizuxigevodetapa.pdf
- https://cdn.shopify.com/s/files/1/0440/1928/6174/files/advanced_english_grammar_class_9_10.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/909040323.pdf
- https://static.usrfiles.com/ugd/15cd4d_015ab17213224a42bba2587b323a2f60.pdf
- https://static.usrfiles.com/ugd/b8c837_9babca9598b14045ad3889e6a2fec3ae.pdf
- https://static.usrfiles.com/ugd/1849a1_6878337a0eb84a4cae7e3dd08b85765c.pdf
- https://static.usrfiles.com/ugd/ea9bdf_ab7303d8c1bd49ea925a0af0462ecc6f.pdf
- https://static.usrfiles.com/ugd/4f92c1_104fe88fbc604498abd221fa47133e13.pdf
- https://static.usrfiles.com/ugd/9ea9b6_e4125baec68d4251a741685460d6b0a8.pdf
- https://static.usrfiles.com/ugd/79e5df_af698f22ae2d428ea91febce63390c1b.pdf
- https://static.usrfiles.com/ugd/ba3095_f94479c2fe504e279fc56af0c64ea46d.pdf
- https://static.usrfiles.com/ugd/3ce946_09e435ea52b64324b5e329b81ac321a9.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000bbf1.bin7c3c03d24be0b96ed09a655cd7cc21e9110941dea7cc7608fa79c0977f96e531 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBBF1 | 5924 bytes |
font_01_sfnt_off0000cff8.bin2dfdc4a9ed1327b46960be01b8d7ea382c8bea7a4536cab665042a021f461795 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCFF8 | 10652 bytes |
font_02_sfnt_off0000f44d.bind1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF44D | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.