MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=free+lettering+guides+procreate'. This indicates an attempt to direct the user to a malicious site. Additionally, the PDF exhibits characteristics of a link farm, with numerous external links, many hosted on Shopify. The presence of the 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests that the document may be part of a multi-stage attack, where the user is prompted to open a password-protected archive, likely containing the actual malware payload.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=free+lettering+guides+procreate
- http://sasine.wyntrcardigans.com/uploads/1/3/0/8/130814769/d481bcd396.pdf
- http://files.epictherapyandwellness.com/uploads/1/3/1/1/131163859/4f48e52.pdf
- http://files.behuninvocalstudio.com/uploads/1/3/0/9/130968994/2496227.pdf
- https://cdn.shopify.com/s/files/1/0451/0292/3939/files/mitochondrial_membrane_potential.pdf
- https://cdn.shopify.com/s/files/1/0452/7154/8066/files/catlogo_jequiti_2020.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55166802931.pdf
- https://cdn.shopify.com/s/files/1/0427/4647/8759/files/converting_to_svg.pdf
- https://cdn.shopify.com/s/files/1/0445/8535/3380/files/mediheal_ac_dressing_ampoule_mask_ex_review.pdf
- https://cdn.shopify.com/s/files/1/0431/7950/7880/files/7276948733.pdf
- https://cdn.shopify.com/s/files/1/0431/1708/4839/files/68851358777.pdf
- https://cdn.shopify.com/s/files/1/0433/5563/5871/files/81226150377.pdf
- https://cdn.shopify.com/s/files/1/0430/9699/8041/files/datasheet_arduino_uno_portugues.pdf
- https://cdn.shopify.com/s/files/1/0432/4923/8184/files/xawizonuxibizusuratem.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005b5f.bine6137c4891fc7244d6046809797d42b824088b18c3add2ee93b3e19069407f09 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5B5F | 5196 bytes |
font_01_sfnt_off00006d13.bin51ebeec29509b87aa858d500e37ac8853184703d07d1f913ce36d8e1dc7764c0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D13 | 1800 bytes |
font_02_sfnt_off000075a1.bin2adb8497eacf8da9557b3e710ff91e1eb25204560bad6b6ea79d09c2cc7639e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x75A1 | 10304 bytes |
font_03_sfnt_off00009910.bin796abb589046a6794b20638b8f3d5374798c86db7bc0cccf3f694680d91a7597 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9910 | 16192 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.