MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=ashampoo+burning+studio'. This URL is likely used to trick users into downloading malicious content or visiting phishing pages. The document body, though heavily obfuscated, contains fragments that suggest a lure related to 'Ashampoo burning studio', reinforcing the social engineering aspect. The presence of numerous external links, many hosted on cdn.shopify.com, indicates a link farm strategy to distribute the malicious redirector.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=ashampoo+burning+studio
- https://static.usrfiles.com/ugd/32777b_aca76810be1b47a6843141d97be4c5d7.pdf
- https://static.usrfiles.com/ugd/6846fe_86427a74036042f689e85fc09e1efa36.pdf
- https://static.usrfiles.com/ugd/e33828_1ce97209eb0046bbb5353cb0e042db26.pdf
- https://static.usrfiles.com/ugd/4dd980_b2cd8a30fd5c437f842446fb97d3bf41.pdf
- https://static.usrfiles.com/ugd/3e9e83_d9265ef8d9a7464699690ca98358a170.pdf
- https://cdn.shopify.com/s/files/1/0432/0365/7887/files/git_flow_cheat_sheet.pdf
- https://cdn.shopify.com/s/files/1/0440/3183/6310/files/soborejoj.pdf
- https://cdn.shopify.com/s/files/1/0431/7098/8188/files/90529984764.pdf
- https://cdn.shopify.com/s/files/1/0434/4024/2840/files/xaxinuxixizepusix.pdf
- https://cdn.shopify.com/s/files/1/0429/8365/3535/files/64821835923.pdf
- https://cdn.shopify.com/s/files/1/0429/0448/6055/files/kibexesafesuzosexaga.pdf
- https://cdn.shopify.com/s/files/1/0432/2626/7816/files/zulekekawolef.pdf
- https://cdn.shopify.com/s/files/1/0429/4829/6857/files/gakasepedavebulo.pdf
- https://cdn.shopify.com/s/files/1/0428/5680/8615/files/jefotokuse.pdf
- https://cdn.shopify.com/s/files/1/0433/4937/7174/files/70492724272.pdf
- https://cdn.shopify.com/s/files/1/0436/3350/8512/files/29067263206.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f59.binf9ee007b4f5858b11d0079ef025e6738eb8e3b5fa5eb6ab5b5e72f7ffae35b96 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F59 | 20392 bytes |
font_01_sfnt_off0000af6b.bin67437923c17eb636ce2ac01852a5d5318396db187ac9380f9ce608eedcce4013 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAF6B | 5232 bytes |
font_02_sfnt_off0000c0f4.binae6c5a544004f5c21c484207ccd1424b238578de5d6f60181c6f0afe18c8e8c3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC0F4 | 14988 bytes |
font_03_sfnt_off0000ef3f.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEF3F | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.