MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains a lure for a browser extension installation and a link to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.club/wix?keyword=aqa+chemistry+gcse+oxford+textbook+answers' which is flagged as malicious. The presence of numerous links to PDF files on static.usrfiles.com suggests a link farm used for SEO poisoning to attract victims. The combination of these elements indicates a social engineering attack aimed at tricking users into visiting a malicious site.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=aqa+chemistry+gcse+oxford+textbook+answers
- https://static.usrfiles.com/ugd/221eaa_dc92df53a1b24a5e9a59e7c8bba468fa.pdf
- https://static.usrfiles.com/ugd/b8c837_e7e32b66f6294d6b98eaf0221bf5f332.pdf
- https://static.usrfiles.com/ugd/b8c837_0d364dab46e24a209039d58dd30071b8.pdf
- https://cdn.shopify.com/s/files/1/0431/5322/7936/files/rufixibek.pdf
- https://cdn.shopify.com/s/files/1/0435/3468/0216/files/89664555623.pdf
- https://cdn.shopify.com/s/files/1/0441/0392/5912/files/xubidete.pdf
- https://static.usrfiles.com/ugd/2ddd39_ca0270013cc84a06838e3c3cd0d1a54a.pdf
- https://static.usrfiles.com/ugd/2f8cea_5a0f65dc5aec446cb65fd5f76e7da5e2.pdf
- https://static.usrfiles.com/ugd/cfbfd2_bccf89ba61c24bf7aec35c586b076f63.pdf
- https://static.usrfiles.com/ugd/f4de5e_133d7ea96910402a9cb2a2edc2f08aaa.pdf
- https://static.usrfiles.com/ugd/c618e9_f6302a9143084b04aec6bea4a5128121.pdf
- https://cdn.shopify.com/s/files/1/0439/1695/1704/files/vofimuwamijenafa.pdf
- https://cdn.shopify.com/s/files/1/0449/9403/5880/files/august_2019_current_affairs_telugu.pdf
- https://cdn.shopify.com/s/files/1/0430/0891/7657/files/17258272943.pdf
- https://cdn.shopify.com/s/files/1/0428/9468/8423/files/zozodapo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005f49.bin3c97935b698451308a5cb8c0eaa18423eeb51c73700eec7a807f08b1eca5ff77 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5F49 | 5984 bytes |
font_01_sfnt_off00007399.binedb5855253d91e23f5a63854932899c5b320d94c9462d9e3bb2752c7f9fcce97 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7399 | 10588 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.