MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.link'. This indicates an attempt to direct the user to a harmful destination. Additionally, the document exhibits characteristics of a password-protected archive lure and a callback phishing lure, suggesting a multi-stage attack or social engineering. The presence of a link farm further supports the malicious intent of generating traffic and potentially obscuring the true destination.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=cisco+ip+phone+7945+manual+voicemail
- http://files.bullbearkidsbooks.com/uploads/1/3/2/6/132681404/medewesiposade.pdf
- http://files.peacelovemonkey.com/uploads/1/3/0/7/130776828/2499076.pdf
- http://files.the8blockfitnessstudio.com/uploads/1/3/1/6/131606674/1f565bc5183d.pdf
- http://files.mariannecenko.com/uploads/1/3/2/6/132695451/6500638.pdf
- http://toriwezi.tnccivic.org/uploads/1/3/0/8/130874666/jozoxa.pdf
- https://cdn.shopify.com/s/files/1/0436/9914/2810/files/jexukalabedod.pdf
- https://cdn.shopify.com/s/files/1/0431/9910/3136/files/22794364902.pdf
- https://cdn.shopify.com/s/files/1/0429/3722/1276/files/galofarevemopawudut.pdf
- https://cdn.shopify.com/s/files/1/0438/5370/9472/files/bhagavad_gita_free_download_in_gujarati.pdf
- https://cdn.shopify.com/s/files/1/0465/5310/4542/files/1724123511.pdf
- https://17f32d3d-21a9-4af3-971f-80e50d57cc25.filesusr.com/ugd/badafb_fa966f9ea1b3416db6927f1fb8650d3f.pdf?index=true
- https://95436cbb-6ba0-40f3-bbf7-3b5b37ff98ca.filesusr.com/ugd/0182ef_4cd773aec1234e169ae048c2c48bc827.pdf?index=true
- https://35fe3c21-4b01-4d79-9ffa-5279c639fec3.filesusr.com/ugd/64e449_ae329eae9018456e9d3fea28e28bbf55.pdf?index=true
- https://cdn.shopify.com/s/files/1/0435/2029/5064/files/25476853319.pdf
- https://cdn.shopify.com/s/files/1/0434/5544/7202/files/ferokewedumumu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000a347.bina64112ab3fc2be0f8d704256405e70d9eff0e801cebbeb3387838446cdd93499 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA347 | 5488 bytes |
font_01_sfnt_off0000b5e6.bindcb0a8276f10ae6333d66c4a569a1b3936a9be11eaa140821f22a0a138fadf74 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB5E6 | 9880 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.