MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.ru, disguised as a "new homes fair" advertisement. It also functions as a link farm, pointing to numerous other PDFs hosted on cdn.shopify.com. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests this PDF may be intended to provide instructions for accessing a password-protected archive, a common tactic to bypass gateway security. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=new+homes+fair+oaks+ca
- https://static.usrfiles.com/ugd/158fb9_617d7b5edde84f23854e3408dd98472a.pdf
- https://static.usrfiles.com/ugd/9757e7_19d349cd3ed148d587ead934903e6aa3.pdf
- https://static.usrfiles.com/ugd/dd4472_40121ebc0a61469ab00baced840cbd05.pdf
- https://cdn.shopify.com/s/files/1/0432/9452/3552/files/jitovuzegezulenuwiwev.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/23582012054.pdf
- https://cdn.shopify.com/s/files/1/0432/4088/2343/files/free_jazz_guitar_sheet_music.pdf
- https://cdn.shopify.com/s/files/1/0435/4090/6143/files/rtl_sdr_raspberry_pi.pdf
- https://cdn.shopify.com/s/files/1/0434/5207/2086/files/19277703948.pdf
- https://cdn.shopify.com/s/files/1/0448/3586/4736/files/winrar_file_password_recovery_software_free.pdf
- https://cdn.shopify.com/s/files/1/0431/5539/0630/files/opera_browser_for_win_xp_free.pdf
- https://cdn.shopify.com/s/files/1/0435/6925/0463/files/vert_shock_week_1.pdf
- https://cdn.shopify.com/s/files/1/0440/6594/7800/files/gerudo_valley_sheet_music_cello.pdf
- https://static.usrfiles.com/ugd/0aab01_2efbcaa02ef84d84b948d7b79b347abd.pdf
- https://static.usrfiles.com/ugd/b8c837_1fdf14fbccdf47169eb3b1d1f1c95a63.pdf
- https://static.usrfiles.com/ugd/7598fa_0829730c0c284959a30b7bbba637fd1b.pdf
- https://static.usrfiles.com/ugd/b8c837_2a21f5c85e794d8d9114d9f97d24ec2e.pdf
- https://static.usrfiles.com/ugd/b8c837_64682bde39c842ba9043fa866b958498.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000063d2.bin3f7c402f02cff75337cb5347414d2d005d8ecf6b81e9268768a5d97cb629c4bf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x63D2 | 4816 bytes |
font_01_sfnt_off0000743a.binca8da9734e59eaf015067a55b87dfc8d7e5faccb3b68afebedbb6bbdb722330d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x743A | 10744 bytes |
font_02_sfnt_off000098fb.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x98FB | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.