Malware Insights
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=nifskope+skyrim+special+edition'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, one of which is 'https://static.usrfiles.com/ugd/b8c837_6ba75142c7ae4212aef37ea6fb412455.pdf'. The document also includes a lure to execute commands via the clipboard, suggesting an attempt to trick the user into running malicious code. The presence of these elements indicates a likely attack pattern involving redirection to malicious sites and potential command execution.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=nifskope+skyrim+special+edition
- https://static.usrfiles.com/ugd/b8c837_6ba75142c7ae4212aef37ea6fb412455.pdf
- https://static.usrfiles.com/ugd/b8c837_b3790cfcef234d76893c26ee38e8193e.pdf
- https://static.usrfiles.com/ugd/b8c837_f0c51820f48f492b9c12623f66e317ae.pdf
- https://static.usrfiles.com/ugd/b8c837_cbe70f2f25074dabbed2f35ee81cf7bc.pdf
- https://cdn.shopify.com/s/files/1/0430/7543/6698/files/zatidovuxa.pdf
- https://cdn.shopify.com/s/files/1/0433/4940/9960/files/belfast_city_airport_flight_information.pdf
- https://cdn.shopify.com/s/files/1/0434/2281/0268/files/34278418708.pdf
- https://cdn.shopify.com/s/files/1/0468/1518/3002/files/57222666051.pdf
- https://cdn.shopify.com/s/files/1/0431/2439/2087/files/basecamp_2_all_files.pdf
- https://cdn.shopify.com/s/files/1/0435/9513/7187/files/office_telemetry_agent.pdf
- https://cdn.shopify.com/s/files/1/0434/1438/8888/files/78752182660.pdf
- https://static.usrfiles.com/ugd/b8c837_d60ebab9554d4247b20a0034793baf23.pdf
- https://static.usrfiles.com/ugd/b8c837_5f4690af8743433699ead449f78db290.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000057a8.binebb8f13d84ec1baea4fe6af864af180168b10e8ea7df795156853a6dbca2bbfa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x57A8 | 5436 bytes |
font_01_sfnt_off00006a1b.bin7806fb39b67eaa5d6f72b42e1f170b3b90746c199d651b37b289a98ac04aef63 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A1B | 10968 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.