MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many hosted on Shopify. The presence of the 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document may be a precursor to delivering a password-protected archive, a common tactic to bypass security filters. The embedded URLs and the redirector link are the primary indicators of malicious intent.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=atmel+studio+6.+1++64+bit
- http://fakoj.tarabooth.com/uploads/1/3/1/4/131437044/7219802.pdf
- http://files.foldedfeather.com/uploads/1/3/1/4/131482886/tapuloloxudito.pdf
- http://files.nooracademyonline.com/uploads/1/3/2/6/132681390/8141325f7274f6f.pdf
- https://cdn.shopify.com/s/files/1/0432/4560/0936/files/xugodosakab.pdf
- https://cdn.shopify.com/s/files/1/0441/4259/2152/files/winivuketutono.pdf
- https://cdn.shopify.com/s/files/1/0431/7514/9719/files/assinatura_digital_em.pdf
- https://cdn.shopify.com/s/files/1/0438/4364/9698/files/21538699961.pdf
- https://cdn.shopify.com/s/files/1/0428/5975/7734/files/zajelusirobom.pdf
- https://cdn.shopify.com/s/files/1/0437/7133/0709/files/kunetuviri.pdf
- https://cdn.shopify.com/s/files/1/0437/6431/8359/files/70114462305.pdf
- https://cdn.shopify.com/s/files/1/0445/4167/3636/files/shunting_yard_algorithm_c.pdf
- https://cdn.shopify.com/s/files/1/0432/4599/4146/files/wolf_handbook_2017.pdf
- https://cdn.shopify.com/s/files/1/0432/1663/4016/files/weather_report_for_the_week_durban.pdf
- https://cdn.shopify.com/s/files/1/0428/1165/4307/files/keliripojenomo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005294.bin11b122ce4eeecb1e53b9cbf0333fa2f56b20dc6e370f39d3c2dc508d1924a926 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5294 | 5120 bytes |
font_01_sfnt_off00006400.binc2faec39a7cdcf2fcc858ef71ec33f5c30ec49d27ff775af4dca682adf003321 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6400 | 9988 bytes |
font_02_sfnt_off0000866e.bin75c9b7ffee31afcfde02f98db799ee1bd00ca9268483b013c5b4ee9c3c0844f2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x866E | 16100 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.