MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF file contains a critical heuristic indicating it links to known malicious redirector infrastructure via the URL 'https://ttraff.me/wix?keyword=d%2527+banj+song+bother+you'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links pointing to external PDFs, including one hosted on Shopify. The presence of a visual download button lure further supports the malicious intent. The document body, though heavily obfuscated, contains the same malicious URL and several benign-looking PDF links, suggesting a deceptive lure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=d%2527+banj+song+bother+you
- https://cdn.shopify.com/s/files/1/0431/7495/3120/files/58458736745.pdf
- https://cdn.shopify.com/s/files/1/0429/9050/2042/files/xesumotizuxiwojapudapuge.pdf
- https://cdn.shopify.com/s/files/1/0466/5989/5461/files/telecharger_cardboard_camera_apk.pdf
- https://static.usrfiles.com/ugd/8f6098_781f2041052846d2af381afb1dd7cfe1.pdf
- https://static.usrfiles.com/ugd/e5cbe5_34a04dfd0ad94cdfa1225c80b9c6d278.pdf
- https://static.usrfiles.com/ugd/824332_1e0214f64e9e4ee2b6686f8391ce7b3e.pdf
- https://static.usrfiles.com/ugd/963627_d3df1af65d3c4430a67f32a7fc467bb1.pdf
- https://static.usrfiles.com/ugd/111c46_73a07fde8a79484983efe3dffc3c3e96.pdf
- https://static.usrfiles.com/ugd/9e41f0_f3d76be8a66b4aa493227d16038fed30.pdf
- https://static.usrfiles.com/ugd/6c98bc_6bf83c5465194e39ad3e513a47c1444a.pdf
- https://static.usrfiles.com/ugd/9b7d8a_e7c5815eb838436891a0f4447f82b571.pdf
- https://static.usrfiles.com/ugd/d4a9d6_1b7d91a6b8b249aabf5ce9578a6d0ec3.pdf
- https://static.usrfiles.com/ugd/6166c9_c566875155db4757bdfdd764a8d104b9.pdf
- https://static.usrfiles.com/ugd/b8c837_ae8aa26db7604d56a0b0802afefb5860.pdf
- https://static.usrfiles.com/ugd/b926a8_473c41106eac404d8dcba27720130127.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004627.bin4d0d87698fa501205da1da5989ddf5f06eb8f3c71c65153b8beb6289c20d0dcc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4627 | 5264 bytes |
font_01_sfnt_off0000581f.bin6de620122b029348929eec733de3fcfbb95a7344f135213aadb5af38719d5b2d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x581F | 10420 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.