Malware Insights
The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=task+timeline+template+excel'. This URL is presented within the document body, disguised as a 'Task timeline template excel'. The file also exhibits characteristics of a PDF link farm, with numerous external links, one of which is to 'https://cdn.shopify.com/s/files/1/0434/1088/2716/files/repusatosiwaro.pdf'. The presence of these links and the invoice lure heuristic suggest a phishing or social engineering attack aimed at redirecting users to malicious content.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=task+timeline+template+excel
- https://cdn.shopify.com/s/files/1/0434/1088/2716/files/repusatosiwaro.pdf
- https://cdn.shopify.com/s/files/1/0434/2677/5196/files/vaneb.pdf
- https://cdn.shopify.com/s/files/1/0448/0257/2437/files/consumer_reports_zero_turn_mowers.pdf
- https://cdn.shopify.com/s/files/1/0432/5654/5433/files/niwaxibo.pdf
- https://cdn.shopify.com/s/files/1/0431/2114/8061/files/javologud.pdf
- https://cdn.shopify.com/s/files/1/0434/4319/1960/files/87841803736.pdf
- https://cdn.shopify.com/s/files/1/0435/9772/5864/files/28448171980.pdf
- https://cdn.shopify.com/s/files/1/0428/9105/1161/files/diponobosigibenisitomiza.pdf
- https://cdn.shopify.com/s/files/1/0428/2476/1510/files/tizowinubipitedorig.pdf
- https://cdn.shopify.com/s/files/1/0434/2654/5820/files/xexonebu.pdf
- https://static.usrfiles.com/ugd/72b0e7_ceedc7d8370a428b902b3877802dcf16.pdf
- https://static.usrfiles.com/ugd/6a7407_292452c8a57442239f3783d192340bfa.pdf
- https://static.usrfiles.com/ugd/b8c837_025290823c7942dbb525e6fbd0937e2c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007e1b.binee705c97e2937943dad86e3b100b86ef078c8b07b17f59dc319b44fb996d1627 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7E1B | 5064 bytes |
font_01_sfnt_off00008f4d.bin7705a811e6148e1b218845640dd945f95401b4085252fa3e7800b93ea4f28776 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8F4D | 10060 bytes |
font_02_sfnt_off0000b1fc.binb7d3fe0f0eed6e60c79e5026c6c3c7babf05c9d359090ed5b12ebb11be5d450a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB1FC | 16120 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.