MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, disguised with text related to credit reports. The document body, though partially corrupted, contains the URL and text suggesting a lure to manipulate credit information. The presence of numerous external PDF links, many pointing to static.usrfiles.com, indicates a link farm designed to distribute malicious content or improve SEO for malicious sites. The primary malicious URL is ttraff.cc, which is flagged as a malicious redirector.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=remove+closed+charge+off+from+credit+report
- https://static.usrfiles.com/ugd/724fb5_8a76743776224e20aea20277b114889c.pdf
- https://static.usrfiles.com/ugd/89363e_3d5ee17f31ff4cd0b8f3ff77c8afd856.pdf
- https://static.usrfiles.com/ugd/1a89c8_282c8217bde44f1785b3f8b4ee1af83e.pdf
- https://static.usrfiles.com/ugd/599f1c_e8ca54e4da25435dad74119c5fdc41b3.pdf
- https://cdn.shopify.com/s/files/1/0434/2651/3048/files/89114507251.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bugos.pdf
- https://cdn.shopify.com/s/files/1/0437/1274/1529/files/20521030746.pdf
- https://static.usrfiles.com/ugd/9e53d4_d0ec9807674545c58e0573800a0393cb.pdf
- https://static.usrfiles.com/ugd/89363e_734f6e33b5444ae59db64ebd5e424536.pdf
- https://static.usrfiles.com/ugd/9734e7_33a911e34f0748b5b1e7957004185a4c.pdf
- https://static.usrfiles.com/ugd/10e3af_f38e554ea38e4faeba5e6df39a45bcb5.pdf
- https://static.usrfiles.com/ugd/c068f8_e15b90125144427f9eed9be6bb37099c.pdf
- https://cdn.shopify.com/s/files/1/0433/4066/0904/files/lexique_minier_anglais-_franais.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/babape.pdf
- https://cdn.shopify.com/s/files/1/0432/5670/9288/files/5650182034.pdf
- https://cdn.shopify.com/s/files/1/0432/9085/3541/files/origami_aviones_de_papel.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007573.binf4a2ad5d7fbdc0d308448bea3ee1e62cad4a532c80919d7371a96d40a1dda5dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7573 | 5316 bytes |
font_01_sfnt_off00008794.bind8f390ee5a81e3114c7453fe85a93e705edb44760b9125c73c1d6bb70ef97deb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8794 | 11400 bytes |
font_02_sfnt_off0000ad29.binb50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAD29 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.