MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is https://ttraff.cc/wix?keyword=la+divina+comedia+resumen+pdf, which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to this URL and appears to be a lure for users searching for specific PDF content. The presence of numerous links suggests a link farm or SEO poisoning tactic to distribute malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=la+divina+comedia+resumen+pdf
- https://static.usrfiles.com/ugd/b8c837_991e4aabd90e40d9a871c1730d796e90.pdf
- https://static.usrfiles.com/ugd/b8c837_d0003d6e7db749eeb8e3909d91259118.pdf
- https://static.usrfiles.com/ugd/b8c837_14ff98af2433439eacffcc91ab3a4e19.pdf
- https://static.usrfiles.com/ugd/b8c837_778064ffdee04353abbbbfaab9dbc789.pdf
- https://static.usrfiles.com/ugd/b8c837_79c503918db642ea8fd40569d4896876.pdf
- https://cdn.shopify.com/s/files/1/0434/8457/7958/files/biwi_ke_huqooq_shohar_par_in_islam_in_urdu.pdf
- https://cdn.shopify.com/s/files/1/0435/0600/8216/files/tudumoguwa.pdf
- https://cdn.shopify.com/s/files/1/0431/4506/8699/files/after_netflix_movie.pdf
- https://cdn.shopify.com/s/files/1/0430/8969/0773/files/7194822083.pdf
- https://cdn.shopify.com/s/files/1/0427/6623/7852/files/flight_simulator_x_mods.pdf
- https://cdn.shopify.com/s/files/1/0429/9672/7957/files/jajegavewoparogepudedus.pdf
- https://cdn.shopify.com/s/files/1/0429/0645/2127/files/pokipitexovawofugor.pdf
- https://cdn.shopify.com/s/files/1/0435/5715/9063/files/punudinazakajezimepifiner.pdf
- https://cdn.shopify.com/s/files/1/0428/7247/1715/files/busqueda_de_empleo.pdf
- https://cdn.shopify.com/s/files/1/0434/0531/2154/files/nadonarimok.pdf
- https://cdn.shopify.com/s/files/1/0432/3177/2835/files/91391041192.pdf
- https://cdn.shopify.com/s/files/1/0428/7237/3414/files/sipode.pdf
- https://cdn.shopify.com/s/files/1/0440/8619/8424/files/vixorolus.pdf
- https://cdn.shopify.com/s/files/1/0431/0722/1661/files/avast_pro_antivirus_license_file.pdf
- https://cdn.shopify.com/s/files/1/0432/5815/1072/files/baldor_motor_catalogue.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0431/0722/1661/files/avast_pro_a
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006b4f.bin8b9cf28175a0c325424b810f0e9f29b72b1ba8ed7c5ca4694b6b4d9faaf82c4e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B4F | 5268 bytes |
font_01_sfnt_off00007d28.bine7ec95942544a0c1d9425d2d76ed2aff57bfd1c04d49e6ad5c0fc5fab718ef11 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D28 | 11436 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.