MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 Command and Scripting Interpreter: PowerShell
The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates a PDF link to known malicious redirector infrastructure, specifically `https://ttraff.me/wix?keyword=the+oxford+solid+state+basics+solutions+pdf`. The document body, though heavily obfuscated, contains this URL and other PDF links, suggesting a link farm or SEO poisoning tactic to lure users. The presence of a 'download button' heuristic further supports a lure-based attack pattern.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=the+oxford+solid+state+basics+solutions+pdf
- http://files.cavalierkingcharlesspanieldogs.com/uploads/1/3/1/4/131453111/2a98ed.pdf
- http://jixanup.camwenrich.com/uploads/1/3/0/9/130969723/9f45f641710e10.pdf
- https://580141f1-2272-4449-8b3a-da0cbf19623f.filesusr.com/ugd/a2d007_49e7a8442d3849759796f36ac3bdef33.pdf?index=true
- https://4aa21045-1445-4f8d-ad48-7a2c7bc38cab.filesusr.com/ugd/409ca8_0d22d3f25a5142c9bd8fff651bf6bf66.pdf?index=true
- https://8807c3b0-a94e-4082-909e-46bfee6daac2.filesusr.com/ugd/97493d_4f844db62472446995d17a53fa838d90.pdf?index=true
- https://cdn.shopify.com/s/files/1/0461/0424/8484/files/gnei_beklerken_10_blm.pdf
- https://cdn.shopify.com/s/files/1/0463/6796/5339/files/ms_word_cv_templates.pdf
- https://cdn.shopify.com/s/files/1/0428/8079/4790/files/nph_davis.pdf
- https://cdn.shopify.com/s/files/1/0430/4162/0119/files/alphabetical_order_worksheets_for_grade_3.pdf
- https://64bef9fa-4013-48f1-b415-54ac9f05a321.filesusr.com/ugd/314c35_646fd2b745d7427c9da33adad0cc8ade.pdf?index=true
- https://ea020e05-4b1f-4feb-b6a1-956eb7d74521.filesusr.com/ugd/d01287_63a8e82a2ca943e1ab0f8ace9ad2d478.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000061a7.bindfb6ce54207a1b5f56dab4ba0e8c00113a2889afb3c5e6c34b28e8d11aa8d95e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x61A7 | 5400 bytes |
font_01_sfnt_off000073ff.bin98f0eda8b893efa1560890be438bb35ddad4318d49cdfb567b2efdb3a594e5f7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x73FF | 10916 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.