MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains numerous links, with one critical heuristic identifying a link to a known malicious redirector at 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL and keyword as the redirector, suggesting a lure. The presence of many external PDF links, including to shopify.com, indicates a link farm strategy, likely to obscure the malicious redirector. The primary malicious IOC is the redirector URL, which is designed to lead users to a harmful destination.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=class+dojo++for+windows+7
- http://files.visionstheperformingarts.com/uploads/1/3/0/7/130775017/241874.pdf
- http://demisutek.cbcneligh.net/uploads/1/3/1/4/131455158/6c8ef4d55f18.pdf
- http://files.rutherfordmemorialumc.com/uploads/1/3/1/4/131408928/gesekegagimem.pdf
- https://cdn.shopify.com/s/files/1/0440/8619/8424/files/babuzijeroruzisakinu.pdf
- https://cdn.shopify.com/s/files/1/0429/9830/0823/files/vagujowupemalazufoze.pdf
- https://cdn.shopify.com/s/files/1/0432/9901/2763/files/vezoworiwividud.pdf
- https://cdn.shopify.com/s/files/1/0440/3914/3574/files/49458963964.pdf
- https://cdn.shopify.com/s/files/1/0434/5459/5224/files/42281896413.pdf
- https://cdn.shopify.com/s/files/1/0431/8747/0485/files/56247667775.pdf
- https://cdn.shopify.com/s/files/1/0435/7426/3963/files/lajukenolodaj.pdf
- https://cdn.shopify.com/s/files/1/0429/9803/8679/files/9882402348.pdf
- https://cdn.shopify.com/s/files/1/0427/4782/2236/files/fakikogalovime.pdf
- https://cdn.shopify.com/s/files/1/0428/1381/6995/files/55657149573.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/91025233068.pdf
- https://cdn.shopify.com/s/files/1/0437/6264/7191/files/comptia_cybersecurity_analyst_cysa_study_guide.pdf
- https://cdn.shopify.com/s/files/1/0436/1243/8685/files/area_of_circles_worksheet_kuta.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005e13.binae273eec65a6ab83e73ad419dbc3646219c33066826d74e7be3fb534b132a732 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5E13 | 5056 bytes |
font_01_sfnt_off00006f6a.bin49574a4be693ac20b9f27d1b0f833e878ff227af1d723b70f8323c37a0dbe171 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F6A | 10152 bytes |
font_02_sfnt_off00009240.binf53b43e12006e3d52612f085e6e184fa5bba3604999f0cb64562e6bb996dc06b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9240 | 16384 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.