MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
T1059.001 PowerShell
The PDF contains a malicious redirector link pointing to 'https://ttraff.cc/pify?keyword=how+to+delete+insta+account', which is a critical finding. Additionally, the document exhibits characteristics of a password-protected archive lure and a callback phishing lure, suggesting a multi-stage attack. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm designed to obscure the ultimate destination. No scripts were extracted from this sample.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=how+to+delete+insta+account
- http://xivovum.triplecrownlacrosse.com/uploads/1/3/1/4/131453558/detax.pdf
- http://badul.eatingnosetotail.com/uploads/1/3/1/4/131482975/c8c28899.pdf
- http://files.texashollandlops.com/uploads/1/3/1/3/131379371/7953459.pdf
- http://files.twistedtangerine.com/uploads/1/3/2/6/132682295/a23c91fe5c23.pdf
- http://nomupezaj.forzegym.com/uploads/1/3/0/8/130874431/liwipozugedawe_levakijaxokuzo_nurisezabepopew_waginise.pdf
- https://cdn.shopify.com/s/files/1/0431/7144/6939/files/17637335566.pdf
- https://cdn.shopify.com/s/files/1/0431/7790/2234/files/flexner_report_summary.pdf
- https://cdn.shopify.com/s/files/1/0433/8253/8403/files/darazuvepomulobuxinip.pdf
- https://cdn.shopify.com/s/files/1/0433/4708/3429/files/cancer_de_cervix_sintomas.pdf
- https://cdn.shopify.com/s/files/1/0428/3842/5766/files/tremendos_galileos_discografia.pdf
- https://cdn.shopify.com/s/files/1/0430/7386/3842/files/fegaxilelotuturid.pdf
- https://cdn.shopify.com/s/files/1/0432/3888/3485/files/regulatory_reporting_job_singapore.pdf
- https://cdn.shopify.com/s/files/1/0434/5331/7272/files/arcview_gis_3._2_manual.pdf
- https://cdn.shopify.com/s/files/1/0457/0352/8604/files/11157716444.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006a2a.bin2679fc22d4d5fad77b312b5fc7f287e60050482124936fdbbf47fa5aabc5a4fb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A2A | 4892 bytes |
font_01_sfnt_off00007aee.bin048dc6ba3039626782962cd1205b20bc8df7b571f39651e505336bb4ee7c047a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7AEE | 10232 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.